Kaspersky Security Center

Kaspersky Security Center is a package of applications and tools used to protect workstations and servers running on Windows. It includes two main parts: protection of client workstations and server administration.

Both parts generate reports about their activities, which can be sent to the server Logmanager.

Server administration of Kaspersky Security Center stores its reports in the Windows Event logs. For retrieving data from these logs, it is necessary to have the Windows Event Sender (WES) running on the administration server and on all workstations that are connected to the administration server. For sending the data to the server Logmanager, please follow the chapter: Microsoft Windows Event Sender (WES) (Deprecated).

Second option is to use the Syslog protocol - SIEM function in Kaspersky Security Center.

Configuring Security Center to send administration server messages to the Logmanager:

1. Open the Kaspersky Security Center application.
2. On the left side, expand your connected administration server and click on Reports and notifications
3. In dashboard select the Notifications tab, then you should see a similar:

   

4. On the bottom click on Modify Administration Server event settings
5. A new window appears where you can edit the properties of the Administration Server:

   

6. Select the tab with a category of events that you want to modify.
7. Select the events you want to log (with CTRL key or click on Select all button) and click on the Properties button.
8. Another window appears in which you select the option: In the OS event log on Administration Server and confirm with the OK button.

   

   Repeat these steps for each event category.

9. Confirm the changes by clicking the OK button.

After updating Windows Event Sender settings, Administration Server events will be sent to the Logmanager.

If the stations are connected to the Administration Server, you can configure the send event centrally from the Administration Center.

Configuring Endpoint Security to send workstation messages to the Logmanager:

1. Open the Kaspersky Security Center application.
2. On the left side, expand your connected administration server and click on Reports and notifications
3. In dashboard select the Notifications tab, then you should see a similar:

   

4. On the bottom click on Edit settings for Kaspersky Endpoint Security
5. A new window appears where you can edit the properties of the Kaspersky Endpoint Security:

   

6. Select the tab with a category of events that you want to modify.

   To be affected by all the stations that are in a group, there is a need to ensure that the lock icon has been in a state of “locked”.

7. Select the events you want to log (with CTRL key or click on Select all button) and click on the Properties button.
8. Another window appears in which you select the option: In the OS event log on client computer and confirm with the OK button.

   

   Repeat these steps for each event category.

9. Confirm the changes by clicking the OK button.

After updating Windows Event Sender settings, workstation events will be sent to the Logmanager.

Configuring Security Center to send administration server messages to the Logmanager:

1. Open the Kaspersky Security Center application.
2. On the left side, expand your connected administration server, right click on it and choose Properties.

   

3. On the left side select Event notification. Select category of event, which you want to configure.

   

4. Select the events you want to log. You can use CTRL key.
5. On the bottom click on button Properties.
6. A new window appears where you can edit the properties of the Administration Server:

   

7. Select the option: In the OS event log on Administration Server and confirm with the OK button.

   Repeat these steps for each event.

8. Confirm the changes by clicking the OK button.

After updating Windows Event Sender settings, Administration Server events will be sent to the Logmanager.

If the stations are connected to the Administration Server, you can configure the send event centrally from the Administration Center.

Configuring Endpoint Security to send workstation messages to the Logmanager:

1. Open the Kaspersky Security Center application.
2. On the left side, expand your connected administration server and click on Policies.
3. Select policies and choose Properties.

   

4. On the left side select Event notification. Select category of event, which you want to configure.

   

5. Select the events you want to log. You can use CTRL key.
6. On the bottom click on button Properties.
7. A new window appears where you can edit the properties of the Administration Server:

   

8. Select the option: In the OS event log on Administration Server and confirm with the OK button.

   Repeat these steps for each event.

9. Confirm the changes by clicking the OK button.

After updating Windows Event Sender settings, Administration Server events will be sent to the Logmanager.

Configuring Security Center to send administration server messages to the Logmanager:

1. Open the Kaspersky Security Center application.

2. On the left side choose administration server, choose Events card.

3. Choose Configure export to SIEM system.

   

4. In Exporting events section set:

   • Automatically export events to SIEM system database,
   • SIEM system: ArcSight (CEF format),
   • SIEM system server address: Logmanager IP address,
   • SIEM system server port: 514,
   • Protocol: UDP.

   Confirm all values with the OK button.

   

5. On the left side menu, expand your connected administration server, right click on it and choose Properties.

   

6. On the left side select Event notification. Select category of event, which you want to configure.

   

7. Select the events you want to log. You can use CTRL key.

8. On the bottom click on button Properties.

9. A new window appears where you can edit the properties of the Administration Server:

   

10. Select the option: Export to SIEM system via Syslog and confirm with the OK button.

    Repeat these steps for each event.

11. Confirm the changes by clicking the OK button.

12. Configure the Logmanager server. Open menu Parser ‣ IP prefix lists and edit the value Arcsight_cef device list and insert the address of Kaspersky Security Center server.

If the stations are connected to the Administration Server, you can configure the send event centrally from the Administration Center.

Configuring Endpoint Security to send workstation messages to the Logmanager:

1. Open the Kaspersky Security Center application.
2. On the left side, expand your connected administration server and click on Policies.
3. Select policies and choose Properties.

   

4. On the left side select Event notification. Select category of event, which you want to configure.

   

5. Select the events you want to log. You can use CTRL key.
6. On the bottom click on button Properties.
7. A new window appears where you can edit the properties of the Administration Server:

   

8. Select the option: Export to SIEM system via Syslog and confirm with the OK button.

   Repeat these steps for each event.

9. Confirm the changes by clicking the OK button.