KSC (Kaspersky) logs to Wazuh
624 views
Skip to first unread message
Nemo191 Nm
Mar 29, 2024, 5:11:55 AM3/29/24
to Wazuh | Mailing List
Hello. Please tell me how to connect receiving logs from KSC (Kaspersky) to Wazuh?
Nemo191 Nm
Mar 29, 2024, 5:17:22 AM3/29/24
to Wazuh | Mailing List
In the web console, KSC has configured the export of logs to Wazup (the IP address of the Wsus server and port 514).
How to get logs in a non-reactive way, decode and configure rules.
And how do I check that the Wazzup server receives logs from KSC?
How to get logs in a non-reactive way, decode and configure rules.
And how do I check that the Wazzup server receives logs from KSC?
пятница, 29 марта 2024 г. в 12:11:55 UTC+3, Nemo191 Nm:
Selu López
Apr 1, 2024, 5:29:39 AM4/1/24
to Wazuh | Mailing List
Hello Nemo191 Nm,
In addition to what you have already done in KSC, you will also have to perform some steps in Wazuh so that it generates alerts from Kaspersky events. I attach the documentation below:
- Configure syslog on the Wazuh server.
- Temporarily enable the logall_json option in your ossec.conf and restart it. Doing this, Wazuh will store all the received events in the /var/ossec/logs/archives/archives.json file, regardless of whether they triggered an alert.
- For these events to generate alerts that can be seen in the Wazuh dashboard, you will have to create custom rules (maybe also decoders). You can find a guide on how to do it in this blog post: Creating decoders and rules from scratch.
I hope you find this helpful. Let me know if you need anything else.
Nemo191 Nm
Apr 5, 2024, 7:06:15 AM4/5/24
to Wazuh | Mailing List
Hi! Thank you!
понедельник, 1 апреля 2024 г. в 12:29:39 UTC+3, Selu López:
Reply all
Reply to author
Forward
0 new messages