topic Re: Indexing Kaspersky Logs in Getting Data In

Indexing Kaspersky Logs

miteshvohra — Tue, 06 Nov 2012 09:27:48 GMT

Need help to monitor event logs from Kaspersky Security Centre in #Splunk. Merely pointing forwarder to collect Windows Logs on the Kaspersky Server doesn't help.

Please suggest.

Cheers, Mitesh Vohra.

Re: Indexing Kaspersky Logs

klychnikov — Tue, 06 Nov 2012 12:55:57 GMT

Kaspersky stores data in ms sql. From there, you can take data.

Re: Indexing Kaspersky Logs

miteshvohra — Tue, 06 Nov 2012 13:02:31 GMT

Kaspersky uses MS-SQL / MySQL to store config, Kaspersky products checked into the console and endpoints enrolled as part of teh deployment.

I am looking at ways to monitor logs generated by Kaspersky's Management Console which is stored in Windows Event Log format but is shown separately in the Event Viewer.

klychnikov: Thanks for your time.

Re: Indexing Kaspersky Logs

klychnikov — Tue, 06 Nov 2012 13:22:28 GMT

События хранятся тоже в базе. Лучше использовать базу данных для получения данных

Re: Indexing Kaspersky Logs

klychnikov — Tue, 06 Nov 2012 13:23:05 GMT

Events are stored also in the database. Better to use a database to retrieve the data

Re: Indexing Kaspersky Logs

miteshvohra — Wed, 07 Nov 2012 03:47:54 GMT

Will check and update the post. Thanks for the pointer.

Re: Indexing Kaspersky Logs

miteshvohra — Wed, 07 Nov 2012 05:00:32 GMT

No. Database does not have any Kaspersky's own service-related, connectivity and other events.

"Kaspersky Event Log" is a separate stream of events under "Application and Service Logs" in Windows Event Viewer.

Re: Indexing Kaspersky Logs

miteshvohra — Sat, 10 Nov 2012 01:57:03 GMT

I figured it out. The solution is to add a section and stanza in the inputs.conf file on UF-end.

[WinEventLogs: Kaspersky Event Logs]
disabled = 0
start_from = oldest

Then, restart the SplunkForwarder Service.

Cheers. Mitesh.

Re: Indexing Kaspersky Logs

jeandez — Tue, 18 Mar 2014 10:26:20 GMT

hello !! i need help,

i created an index which contains a csv based kaspersky log file. I want Enterprise Security to understand this file, and use it for correlation.
I don't know how to do it .
Could you help me ??

thx..

Re: Indexing Kaspersky Logs

btiggemann — Fri, 19 Dec 2014 19:15:06 GMT

I also need to know that 😞

Re: Indexing Kaspersky Logs

dolejh76 — Mon, 28 Sep 2020 18:29:57 GMT

Accept the answer above with one exception.... It is not plural and I specified a specific index on my stanza

[WinEventLog://Kaspersky Event Log]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = kaspersky
renderXml = false

Re: Indexing Kaspersky Logs

MinaMina — Thu, 30 Apr 2015 14:33:07 GMT

Did you find how to put it in entreprise security without creating a new add-on ?

Re: Indexing Kaspersky Logs

nychawk — Thu, 20 Aug 2015 15:11:56 GMT

Hello All;

In reading this thread, I am not clear as to the best way to index kaspersky data, ms-sql (presumably using DBConnect), or through Universal Forwarder, using the inputs.conf provided by dolejh76.

In searching SplunkBase for "kaspersky", I am redirected to the VirusTotal app, which lacks any documentation.

Also, has anyone written any queries to put together reporting, and/or alerts?

Thank you,

-mi

Re: Indexing Kaspersky Logs

dolejh76 — Thu, 20 Aug 2015 16:41:57 GMT

Its been a while since I looked at this but if I remember right you have to make sure that Kaspersky is logging its events to the windows event log. From there you just grab that data and push it to its own index.. As for pulling directly from the database - no we did not do that.

Thanks
John

Re: Indexing Kaspersky Logs

dolejh76 — Thu, 20 Aug 2015 16:45:08 GMT

I just looked at our Kaspersky index - unfortunately it looks like it is just events ON the actual Kaspersky server. We are not at this point getting any alerts from kas events on other computers. On my list to do - just a low priority since we currently get alerts directly from Kaspersky. I would however like to pull this into Splunk.

Thanks
John

Re: Indexing Kaspersky Logs

nychawk — Thu, 20 Aug 2015 16:51:29 GMT

Thanks John;

Do you have any information at all on the DB, tables, fields, etc?

Unless there is a working option for logging Kaspersky files, I'd like to try this approach; I would be surprised to believe I am the first.

Please share your findings, I will do the same.

Regards,

-mike

Re: Indexing Kaspersky Logs

vince2010091 — Wed, 20 Jan 2016 14:35:24 GMT

So the best solution is to use DB Connect ?

Re: Indexing Kaspersky Logs

miteshvohra — Sat, 01 Oct 2016 05:23:02 GMT

The new version of Kaspersky Security Center 10.3.x can send the fresh (as well as historical data available in backend DB) to Splunk in CEF format. Just provide the IP address and port number of Splunk Indexer.

Run the Console.
Expand the node Reports and notifications → Events.
Select Properties in the context menu.
On the Exporting events tab, select the check box Automatically export events to SIEM system database.
Select Splunk from the drop-down list and specify the address of your SIEM server.
Click OK.

Hope this helps.

Regards, Mitesh.

Re: Indexing Kaspersky Logs

rimvydukas — Fri, 31 Mar 2017 10:17:56 GMT

And what must be configured on Splunk's side for it to accept Kaspersky events???

Re: Indexing Kaspersky Logs

miteshp250283 — Fri, 19 May 2017 12:55:17 GMT

Well the documentation does not mention any particular setting on Splunk side. The local support folks do not have sufficient knowledge of any of the 4 options (Syslog, ArcSight, Qradar & Splunk) present in the latest Kaspersky Security Console.

I have setup KSC and Splunk on AWS to try this out. Running out of trial license since I am not able to give full time to the setup.

Will rebuild another instance if the problem statement is still open and anyone is interested in the solution.