Getting data from Kaspersky endpoint security center ver. 13
1,098 views
Skip to first unread message
Нестеров Руслан Олегович
Aug 8, 2022, 10:48:21 AM8/8/22
to wa...@googlegroups.com
Good day team,
I am looking for a way how to get data from KES Center.
What I have got at this point of time.
- New Wazuh lab install
- A working KES with about 170 agents. Wazuh Agent is also installed
- I can export all events in syslog format to Wazuh server or any other syslog server. It is not a big problem. Only problem I see that the syslog will store information in other language then English
What steps should I take to make the data available in Wazuh dashboard. Better to see it in THREAT DETECTION AND RESPONSE module.
Any help is welcome.
С Уважением,
Руслан О. Нестеров
ОРПЦ «ФудСити»
Специалист по информационной безопасности.
Mauricio Ruben Santillan
Aug 8, 2022, 3:15:53 PM8/8/22
to Wazuh mailing list
Hello!
Thanks for using Wazuh!
By doing some research I found that KES provides Web Console activity logging and Application logs.
For the activity logs, the document states that after enabling this logging method, KES will start saving such logs into a TXT file. Which could be easily ingested in Wazuh by using the logcollector module.
For example:
<localfile>
<location>C:\logtest\log.txt</location>
<log_format>syslog</log_format>
</localfile>
<location>C:\logtest\log.txt</location>
<log_format>syslog</log_format>
</localfile>
This module would ingest all events saved into C:\logtest\log.txt.
Now for the application logs, the document states that KES is capable of saving such logs both into the Windows Event Log and/or into a TXT file.
In case you wanted to ingest these events using the Windows Event Log, you'll need to add a new localfile (logcollector) module defining the correct event channel as explained here. You can get the "channel" you need, by checking one of these KES events in the Windows' Event viewer. Once you find one KES log, make sure to copy the content of its channel field
For example, here's the channel field in some random Windows event of mine:
And next would be a localfile module that fetches events from the Security channel:
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
</localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
</localfile>
Notice here that location must contain the channel name from the event and log_format must contain eventchannel.
NOTE: Have in mind that in case these events are stored in the of the next channels, Wazuh already has modules to fetch them:
- Application
- System
- Security (By default has a query to filter some innocuous Windows events).
On the other hand, in case you wanted to ingest KES application logs from the TXT file, you would need to apply the same configuration mentioned for the activity logs. Make sure to set the correct file path.
In any case, you will surely need to create and add some custom decoders and rules.
I hope this helps! Let me know how everything goes!
Reply all
Reply to author
Forward
0 new messages