- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How do I index Kaspersky Security Center logs in S...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I index Kaspersky Security Center logs in Splunk?
Hello,
I'd like to monitor the logs of Kaspersky Security Center with Splunk . I found that I should add in inputs.conf on the forwarders :
[WinEventLog://Kaspersky Event Log]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = kaspersky
renderXml = false
I do this and I restart the service of the forwarder, but after doing this, the forwarder is stopped !!
Any one can help me to monitor the logs of Kaspersky?
Thank you very much
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
But does these mapping parse the data so that it populates in ES
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A few more questions/comments to help pinpoint where things are going wrong:
- Is it a local user or domain user?
- Does the service start fine when you manually try it after a reboot?
- Set it to autostart(delayed) instead of just autostart and see if it works then.
- Try is to set it temporarily to use the local SYSTEM login and see if that works.
Note that if you set it to autostart(delayed) it can take several minutes to actually start, so don't be in a hurry.
after You can start by reading splunkd.log files on your forwarders, it's can be found at $SPLUNK_HOME$/var/log/splunk folder. This log use be very helpful.
I figured it out. The solution is to add a section and stanza in the inputs.conf file on UF-end.
[WinEventLogs: Kaspersky Event Logs]
disabled = 0
start_from = oldest
Then, restart the SplunkForwarder Service.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello ;
Thank you for your response , I add this lines without any result . You will find below the error message :
Invalid key in stanza [WinEventLogs: Kaspersky Event Logs] in C:
\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf, line 6: st
art_from (value: oldest)
Do you please have any idea on how to solve this issue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your response you find below the responses of your questions:
local user or domain user? local user
Does the service start fine when you manually try it after a reboot? yes
This problem come only if i add the instructyions in inputs.conf of kaspersky ?
when I delete these lines splunk universal forwarder continue work fine !
My be I do a mistak in the inputs .conf for kaspersky
[WinEventLog://Kaspersky Event Log]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = kaspersky
renderXml = false
Please correct these lines if there is a mistake or tell me how can I monitor the logs of kaspersky??
The only way to index Kaspersky logs is by adding these lines in inputs.conf??
Thank you !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I figured it out. The solution is to add a section and stanza in the inputs.conf file on UF-end.
[WinEventLogs: Kaspersky Event Logs]
disabled = 0
start_from = oldest
Then, restart the SplunkForwarder Service.
New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...
Alerting Best Practices: How to Create Good Detectors
Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...
