Kaspersky
Question

Which license do I need to send events from KSC to SIEM? [moved]

  • 11 April 2019
  • 8 replies
  • 161 views

Hello all,

I have Kaspersky Security Center 10 installed with a Total Security for Business license (Trial), but it doesn't send any events to my SIEM. My scenario is the same as described in this thread: KASPERSKY EVENTS TO SIEM IBM QRADAR, and the thread linked from there, except that I have a different license (same setup, same event message).

I thought this license I have encompassed all features. If not, which license do I need to send events to SIEM from KSC? Is there a different trial license that I can use to test this feature?

Thanks in advance.

8 replies

Userlevel 5
Badge +1
HI,@novak an welcome to te new Kaspersky Community.
This is not an issue for you, so jjust need to do some new settings setup.
Take a look at this Kaspersky online tutorial.
https://support.kaspersky.com/us/9284
Thank you.
Thanks @KarDip.

I compared my setup with the online tutorial, and everything seems ok (see below). I'm using Apache Metron as the SIEM, and I have Apache NiFi listening on port 9122 and setup to send these events to my SIEM, but KSC doesn't even connect to it. I tested it with netcat to make sure, but no data arrives. KSC shows me an event just like the one in the article I linked (but in portuguese, screencap below). For completeness, my licenses are also pictured below.

Is there anything else I can check on my setup to diagnose the issue?

Userlevel 5
Badge +1
Okay @novak sorry about that.
Take a look below URL.
https://help.kaspersky.com/KSC/EventExport/en-US/142068.htm
Thank you.
Userlevel 5
Badge +1
Okay @novak this might be helpful also.
https://help.kaspersky.com/KSC/SP3/en-US/89277.htm
Thank you.
Badge
You should also check the KES policy (events section). On every event, you can decide where to send it to (also SIEM -> this is not enabled by default).
Hello,

We added a new license with Advanced European Edition, but still getting error

Cannot start sending events to the SIEM system. Functionality in limited mode. Area: System Management.

Do we need to do something else?
Did you enter Kaspersky Security Center license in properties of your ksc?
Yes that was the issue, figured it out.

Thanks

Reply / Ответить