Getting Data In
Highlighted

How do I index Kaspersky Security Center logs in Splunk?

Engager

Hello,

I'd like to monitor the logs of Kaspersky Security Center with Splunk . I found that I should add in inputs.conf on the forwarders :

[WinEventLog://Kaspersky Event Log]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = kaspersky
renderXml = false

I do this and I restart the service of the forwarder, but after doing this, the forwarder is stopped !!

Any one can help me to monitor the logs of Kaspersky?

Thank you very much

0 Karma
Highlighted

Re: How do I index Kaspersky Security Center logs in Splunk?

Motivator

A few more questions/comments to help pinpoint where things are going wrong:

  • Is it a local user or domain user?
    • Does the service start fine when you manually try it after a reboot?
  • Set it to autostart(delayed) instead of just autostart and see if it works then.
  • Try is to set it temporarily to use the local SYSTEM login and see if that works.

Note that if you set it to autostart(delayed) it can take several minutes to actually start, so don't be in a hurry.

after You can start by reading splunkd.log files on your forwarders, it's can be found at $SPLUNK_HOME$/var/log/splunk folder. This log use be very helpful.

I figured it out. The solution is to add a section and stanza in the inputs.conf file on UF-end.

  [WinEventLogs: Kaspersky Event Logs]
     disabled = 0
     start_from = oldest

Then, restart the SplunkForwarder Service.

0 Karma
Highlighted

Re: How do I index Kaspersky Security Center logs in Splunk?

Engager

Thank you for your response you find below the responses of your questions:

local user or domain user? local user
Does the service start fine when you manually try it after a reboot? yes

This problem come only if i add the instructyions in inputs.conf of kaspersky ?
when I delete these lines splunk universal forwarder continue work fine !

My be I do a mistak in the inputs .conf for kaspersky
[WinEventLog://Kaspersky Event Log]
disabled = 0
startfrom = oldest
current
only = 0
checkpointInterval = 5
index = kaspersky
renderXml = false

Please correct these lines if there is a mistake or tell me how can I monitor the logs of kaspersky??
The only way to index Kaspersky logs is by adding these lines in inputs.conf??
Thank you !

0 Karma
Highlighted

Re: How do I index Kaspersky Security Center logs in Splunk?

Motivator

I figured it out. The solution is to add a section and stanza in the inputs.conf file on UF-end.

[WinEventLogs: Kaspersky Event Logs]
disabled = 0
start_from = oldest

Then, restart the SplunkForwarder Service.

0 Karma
Highlighted

Re: How do I index Kaspersky Security Center logs in Splunk?

Engager

Hello ;

Thank you for your response , I add this lines without any result . You will find below the error message :

Invalid key in stanza [WinEventLogs: Kaspersky Event Logs] in C:
\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf, line 6: st
art_from (value: oldest)

Do you please have any idea on how to solve this issue

0 Karma