I figured it out. The solution is to add a section and stanza in the inputs.conf file on UF-end.
[WinEventLogs: Kaspersky Event Logs]
disabled = 0
start_from = oldest
Then, restart the SplunkForwarder Service.
Cheers. Mitesh.
The new version of Kaspersky Security Center 10.3.x can send the fresh (as well as historical data available in backend DB) to Splunk in CEF format. Just provide the IP address and port number of Splunk Indexer.
Hope this helps.
Regards, Mitesh.
Hello,
Someone manage to parse the message received by the CEF format?
What should i do from the Splunk side? Install any particular app or addon ?
Hi . Did you find solution ?
And what must be configured on Splunk's side for it to accept Kaspersky events???
Well the documentation does not mention any particular setting on Splunk side. The local support folks do not have sufficient knowledge of any of the 4 options (Syslog, ArcSight, Qradar & Splunk) present in the latest Kaspersky Security Console.
I have setup KSC and Splunk on AWS to try this out. Running out of trial license since I am not able to give full time to the setup.
Will rebuild another instance if the problem statement is still open and anyone is interested in the solution.
So the best solution is to use DB Connect ?
Hello All;
In reading this thread, I am not clear as to the best way to index kaspersky data, ms-sql (presumably using DBConnect), or through Universal Forwarder, using the inputs.conf provided by dolejh76.
In searching SplunkBase for "kaspersky", I am redirected to the VirusTotal app, which lacks any documentation.
Also, has anyone written any queries to put together reporting, and/or alerts?
Thank you,
-mi
Its been a while since I looked at this but if I remember right you have to make sure that Kaspersky is logging its events to the windows event log. From there you just grab that data and push it to its own index.. As for pulling directly from the database - no we did not do that.
Thanks
John
I just looked at our Kaspersky index - unfortunately it looks like it is just events ON the actual Kaspersky server. We are not at this point getting any alerts from kas events on other computers. On my list to do - just a low priority since we currently get alerts directly from Kaspersky. I would however like to pull this into Splunk.
Thanks
John
Thanks John;
Do you have any information at all on the DB, tables, fields, etc?
Unless there is a working option for logging Kaspersky files, I'd like to try this approach; I would be surprised to believe I am the first.
Please share your findings, I will do the same.
Regards,
-mike
Accept the answer above with one exception.... It is not plural and I specified a specific index on my stanza
[WinEventLog://Kaspersky Event Log]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = kaspersky
renderXml = false
hello !! i need help,
i created an index which contains a csv based kaspersky log file. I want Enterprise Security to understand this file, and use it for correlation.
I don't know how to do it .
Could you help me ??
thx..
I also need to know that 😞
Did you find how to put it in entreprise security without creating a new add-on ?
I figured it out. The solution is to add a section and stanza in the inputs.conf file on UF-end.
[WinEventLogs: Kaspersky Event Logs]
disabled = 0
start_from = oldest
Then, restart the SplunkForwarder Service.
Cheers. Mitesh.
No. Database does not have any Kaspersky's own service-related, connectivity and other events.
"Kaspersky Event Log" is a separate stream of events under "Application and Service Logs" in Windows Event Viewer.
Will check and update the post. Thanks for the pointer.
Events are stored also in the database. Better to use a database to retrieve the data
События хранятся тоже в базе. Лучше использовать базу данных для получения данных
Kaspersky uses MS-SQL / MySQL to store config, Kaspersky products checked into the console and endpoints enrolled as part of teh deployment.
I am looking at ways to monitor logs generated by Kaspersky's Management Console which is stored in Windows Event Log format but is shown separately in the Event Viewer.
klychnikov: Thanks for your time.