Getting Data In

How do I index Kaspersky Security Center logs in Splunk?

Rimah
Engager

Hello,

I'd like to monitor the logs of Kaspersky Security Center with Splunk . I found that I should add in inputs.conf on the forwarders :

[WinEventLog://Kaspersky Event Log]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = kaspersky
renderXml = false

I do this and I restart the service of the forwarder, but after doing this, the forwarder is stopped !!

Any one can help me to monitor the logs of Kaspersky?

Thank you very much

0 Karma

MTD
New Member

But does these mapping parse the data so that it populates in ES

0 Karma

fdi01
Motivator

A few more questions/comments to help pinpoint where things are going wrong:

  • Is it a local user or domain user?
    • Does the service start fine when you manually try it after a reboot?
  • Set it to autostart(delayed) instead of just autostart and see if it works then.
  • Try is to set it temporarily to use the local SYSTEM login and see if that works.

Note that if you set it to autostart(delayed) it can take several minutes to actually start, so don't be in a hurry.

after You can start by reading splunkd.log files on your forwarders, it's can be found at $SPLUNK_HOME$/var/log/splunk folder. This log use be very helpful.

I figured it out. The solution is to add a section and stanza in the inputs.conf file on UF-end.

  [WinEventLogs: Kaspersky Event Logs]
     disabled = 0
     start_from = oldest

Then, restart the SplunkForwarder Service.

0 Karma

Rimah
Engager

Hello ;

Thank you for your response , I add this lines without any result . You will find below the error message :

Invalid key in stanza [WinEventLogs: Kaspersky Event Logs] in C:
\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf, line 6: st
art_from (value: oldest)

Do you please have any idea on how to solve this issue

0 Karma

Rimah
Engager

Thank you for your response you find below the responses of your questions:

local user or domain user? local user
Does the service start fine when you manually try it after a reboot? yes

This problem come only if i add the instructyions in inputs.conf of kaspersky ?
when I delete these lines splunk universal forwarder continue work fine !

My be I do a mistak in the inputs .conf for kaspersky
[WinEventLog://Kaspersky Event Log]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = kaspersky
renderXml = false

Please correct these lines if there is a mistake or tell me how can I monitor the logs of kaspersky??
The only way to index Kaspersky logs is by adding these lines in inputs.conf??
Thank you !

0 Karma

fdi01
Motivator

I figured it out. The solution is to add a section and stanza in the inputs.conf file on UF-end.

[WinEventLogs: Kaspersky Event Logs]
disabled = 0
start_from = oldest

Then, restart the SplunkForwarder Service.

0 Karma
Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...