Scenario: Configuring event export to SIEM systems
Kaspersky Security Center allows configuring by one of the following methods: export to any SIEM system that use Syslog format, export to QRadar, Splunk, ArcSight SIEM systems that use LEEF and CEF formats or export of events to SIEM systems directly from the Kaspersky Security Center database. When you complete this scenario, Administration Server sends events to SIEM system automatically.
Prerequisites
Before you start configuration export of events in the Kaspersky Security Center:
- Learn more about the methods of event export.
- Make sure that you have the values of system settings.
You can perform the steps of this scenario in any order.
The process of export of events to SIEM system consists of the following steps:
- Configuring SIEM system to receive events from Kaspersky Security Center
How-to instructions: Configuring event export in a SIEM system
- Selecting events you want to export to SIEM system:
How-to instructions:
- Administration Console: Marking events of a Kaspersky application for export in Syslog format, Marking general events for export in Syslog format
- Kaspersky Security Center Web Console: Marking events of a Kaspersky application for export in Syslog format, Marking general events for export in Syslog format
- Configuring export of events to SIEM system using one of the following methods:
- Using TCP/IP, UDP or TLS over TCP protocols.
How-to instructions:
- Administration Console: Configuring export of events to SIEM systems
- Kaspersky Security Center Web Console: Configuring export of events to SIEM systems
- Using export of events directly from the Kaspersky Security Center database (a set of public views is provided in the Kaspersky Security Center database; you can find the description of these public views in the klakdb.chm document).
- Using TCP/IP, UDP or TLS over TCP protocols.
Results
After configuring export of events to SIEM system you can view export results if you selected events which you want to export.
