Getting Data In

Indexing Kaspersky Logs

miteshvohra
Contributor

Need help to monitor event logs from Kaspersky Security Centre in #Splunk. Merely pointing forwarder to collect Windows Logs on the Kaspersky Server doesn't help.

Please suggest.

Cheers, Mitesh Vohra.

0 Karma
1 Solution

miteshvohra
Contributor

I figured it out. The solution is to add a section and stanza in the inputs.conf file on UF-end.

[WinEventLogs: Kaspersky Event Logs]
disabled = 0
start_from = oldest

Then, restart the SplunkForwarder Service.

Cheers. Mitesh.

View solution in original post

miteshvohra
Contributor

The new version of Kaspersky Security Center 10.3.x can send the fresh (as well as historical data available in backend DB) to Splunk in CEF format. Just provide the IP address and port number of Splunk Indexer.

  1. Run the Console.
  2. Expand the node Reports and notifications → Events.
  3. Select Properties in the context menu.
  4. On the Exporting events tab, select the check box Automatically export events to SIEM system database.
  5. Select Splunk from the drop-down list and specify the address of your SIEM server.
  6. Click OK.

Hope this helps.

Regards, Mitesh.

0 Karma

mbarbaro
Path Finder

Hello,

Someone manage to parse the message received by the CEF format?

What should i do from the Splunk side? Install any particular app or addon ?

Shyngys_Bolatbe
Engager

Hi . Did you find solution ?

0 Karma

rimvydukas
New Member

And what must be configured on Splunk's side for it to accept Kaspersky events???

0 Karma

miteshp250283
Path Finder

Well the documentation does not mention any particular setting on Splunk side. The local support folks do not have sufficient knowledge of any of the 4 options (Syslog, ArcSight, Qradar & Splunk) present in the latest Kaspersky Security Console.

I have setup KSC and Splunk on AWS to try this out. Running out of trial license since I am not able to give full time to the setup.

Will rebuild another instance if the problem statement is still open and anyone is interested in the solution.

0 Karma

vince2010091
Path Finder

So the best solution is to use DB Connect ?

0 Karma

nychawk
Communicator

Hello All;

In reading this thread, I am not clear as to the best way to index kaspersky data, ms-sql (presumably using DBConnect), or through Universal Forwarder, using the inputs.conf provided by dolejh76.

In searching SplunkBase for "kaspersky", I am redirected to the VirusTotal app, which lacks any documentation.

Also, has anyone written any queries to put together reporting, and/or alerts?

Thank you,

-mi

0 Karma

dolejh76
Communicator

Its been a while since I looked at this but if I remember right you have to make sure that Kaspersky is logging its events to the windows event log. From there you just grab that data and push it to its own index.. As for pulling directly from the database - no we did not do that.

Thanks
John

0 Karma

dolejh76
Communicator

I just looked at our Kaspersky index - unfortunately it looks like it is just events ON the actual Kaspersky server. We are not at this point getting any alerts from kas events on other computers. On my list to do - just a low priority since we currently get alerts directly from Kaspersky. I would however like to pull this into Splunk.

Thanks
John

0 Karma

nychawk
Communicator

Thanks John;

Do you have any information at all on the DB, tables, fields, etc?

Unless there is a working option for logging Kaspersky files, I'd like to try this approach; I would be surprised to believe I am the first.

Please share your findings, I will do the same.

Regards,

-mike

0 Karma

dolejh76
Communicator

Accept the answer above with one exception.... It is not plural and I specified a specific index on my stanza

[WinEventLog://Kaspersky Event Log]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = kaspersky
renderXml = false

0 Karma

jeandez
Explorer

hello !! i need help,

i created an index which contains a csv based kaspersky log file. I want Enterprise Security to understand this file, and use it for correlation.
I don't know how to do it .
Could you help me ??

thx..

btiggemann
Path Finder

I also need to know that 😞

0 Karma

MinaMina
New Member

Did you find how to put it in entreprise security without creating a new add-on ?

0 Karma

miteshvohra
Contributor

I figured it out. The solution is to add a section and stanza in the inputs.conf file on UF-end.

[WinEventLogs: Kaspersky Event Logs]
disabled = 0
start_from = oldest

Then, restart the SplunkForwarder Service.

Cheers. Mitesh.

miteshvohra
Contributor

No. Database does not have any Kaspersky's own service-related, connectivity and other events.

"Kaspersky Event Log" is a separate stream of events under "Application and Service Logs" in Windows Event Viewer.

0 Karma

miteshvohra
Contributor

Will check and update the post. Thanks for the pointer.

0 Karma

klychnikov
Explorer

Events are stored also in the database. Better to use a database to retrieve the data

0 Karma

klychnikov
Explorer

События хранятся тоже в базе. Лучше использовать базу данных для получения данных

miteshvohra
Contributor

Kaspersky uses MS-SQL / MySQL to store config, Kaspersky products checked into the console and endpoints enrolled as part of teh deployment.

I am looking at ways to monitor logs generated by Kaspersky's Management Console which is stored in Windows Event Log format but is shown separately in the Event Viewer.

klychnikov: Thanks for your time.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...