Configuring Kaspersky Security Center Linux for export of events to a SIEM system

2024年5月6日

ID 216090

另存为 PDF

Expand all | Collapse all

To export events to a SIEM system, you have to configure the process of export in Kaspersky Security Center Linux.

To configure export to SIEM systems in the Kaspersky Security Center Web Console:

In the main menu, click the settings icon () next to the name of the required Administration Server.
The Administration Server properties window opens.
On the 常规 tab, select the SIEM section.
Click the 设置 link.
The 导出设置 section opens.
Specify the settings in the 导出设置 section:
- SIEM 系统服务器地址
  The IP address of the server on which the currently used SIEM system is installed. Check this value in your SIEM system settings.
- SIEM 系统端口
  Port number used to establish a connection between Kaspersky Security Center Linux and your SIEM system server. You specify this value in the Kaspersky Security Center Linux settings and in the receiver settings of your SIEM system.
- 协议
  Select the protocol to be used for transferring messages to the SIEM system. You can select either the TCP/IP, UDP, or TLS over TCP protocol.
  
  Specify the following TLS settings if you select the TLS over TCP protocol:
  - 服务器身份验证
    In the 服务器身份验证 field, you can select the Trusted certificates or SHA fingerprints values:
    - Trusted certificates. You can receive a file with the list of certificates from a trusted certification authority (CA) and upload the file to Kaspersky Security Center Linux. Kaspersky Security Center Linux checks whether the certificate of the SIEM system server is also signed by a trusted CA or not.
      To add a trusted certificate, click the Browse for CA certificates file button, and then upload the certificate.
    - SHA fingerprints. You can specify SHA-1 thumbprints of the SIEM system certificates in Kaspersky Security Center Linux. To add a SHA-1 thumbprint, enter it in the 指纹 field, and then click the 添加 button.
    By using the 添加客户端身份验证 setting, you can generate a certificate to authenticate Kaspersky Security Center Linux. Thus, you will use a self-signed certificate issued by Kaspersky Security Center Linux. In this case, you can use both a trusted certificate and a SHA fingerprint to authenticate the SIEM system server.
  - 添加主题名称/主题备选名称
    Subject name is a domain name for which the certificate is received. Kaspersky Security Center Linux cannot connect to the SIEM system server if the domain name of the SIEM system server does not match the subject name of the SIEM system server certificate. However, the SIEM system server can change its domain name if the name has changed in the certificate. In this case, you can specify subject names in the 添加主题名称/主题备选名称 field. If any of the specified subject names matches the subject name of the SIEM system certificate, Kaspersky Security Center Linux validates the SIEM system server certificate.
  - 添加客户端身份验证
    For client authentication, you can insert your certificate or generate it in Kaspersky Security Center Linux.
    - 插入证书. You can use a certificate that you received from any source, for example, from any trusted CA. You must specify the certificate and its private key by using one of the following certificate types:
      X.509 证书 PEM. Upload a file with a certificate in the 证书文件 field, and a file with a private key in the 密钥文件 field. Both files do not depend on each other and the order of loading the files is not significant. When both files are uploaded, specify the password for decoding the private key in the 密码或证书验证 field. The password can have an empty value if the private key is not encoded.
      X.509 证书 PKCS12. Upload a single file that contains a certificate and its private key in the 证书文件 field. When the file is uploaded, specify the password for decoding the private key in the 密码或证书验证 field. The password can have an empty value if the private key is not encoded.
    - 生成密钥. You can generate a self-signed certificate in Kaspersky Security Center Linux. As a result, Kaspersky Security Center Linux stores the generated self-signed certificate, and you can pass the public part of the certificate or SHA1-fingerprint to the SIEM system.
If you want, you can export archived events from the Administration Server database and set the start date from which you want to start the export of archived events:
1. Click the 设置导出起始日期 link.
2. In the section that opens, specify the start date in the 导出的起始日期 field.
3. Click the 确定 button.
Switch the option to the 自动导出事件至 SIEM 系统数据库已启用 position.
Click the 保存 button.

Export to a SIEM system is configured. From now on, if you configured the receiving of events in a SIEM system, Administration Server exports the marked events to a SIEM system. If you set the start date of export, Administration Server also exports the marked events stored in the Administration Server database from the specified date.

Kaspersky Endpoint Security for Linux: High protection without performance compromising

Detects and blocks advanced threats. Buy as part of Endpoint Security for Business Advanced.

Kaspersky Premium Support (MSA): High‑priority incident processing

Telephone and web ticket support. Fast response, monitoring and health check. Submit a request and activate the contract (MSA).

Did you find this article helpful?

What can we do better?

Thank you for your feedback! You're helping us improve.