Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Kaspersky Security Center


The JSA DSM for Kaspersky Security Center can retrieve events directly from a database on your Kaspersky Security Center appliance or receive events from the appliance by using syslog.

The following table identifies the specifications for the Kaspersky Security Center DSM:

Table 1: Kaspersky Security Center DSM Specifications





DSM name

Kaspersky Security Center

RPM file name



JDBC: Versions 9.2-10.1

Syslog LEEF: Version 10.1 and later

Recorded event types




Automatically discovered?

No, if you use the JDBC protocol

Yes, if you use the syslog protocol

Includes identity?


Includes custom properties?


More information

Kaspersky website (

To send Kaspersky Security Center events to JSA, complete the following steps:

  1. If automatic updates are not enabled, download and install the most recent version of the following RPMs on your JSA console:

    • DSMCommon RPM

    • Kaspersky Security Center DSM

  2. Choose one of the following options:

    • If you use syslog, configure your Kaspersky Security Center to forward events to JSA.

    • If you use the JDBC protocol, create a database view on your Kaspersky Security Center device.

  3. Create a Kaspersky Security Center log source on the JSA Console. Configure all required parameters, and use the following tables to configure the specific values that are required for Kaspersky Security Center event collection.

    • If you use syslog, configure the following parameters:

      Table 2: Kaspersky Security Center Syslog Log Source Parameters



      Log Source type

      Kaspersky Security Center

      Protocol Configuration


    • If you use JDBC, configure the following parameters:

      Table 3: Kaspersky Security Center JDBC Log Source Parameters



      Log Source type

      Kaspersky Security Center

      Protocol Configuration


      Log Source Identifier

      Use the following format:


      Where the <Server_Address> is the IP address or host name of the Kaspersky database server.

      Database Type


      Database Name


      IP or Hostname

      The IP address or host name of the SQL server that hosts the Kaspersky Security Center database.


      The default port for MSDE is 1433. You must enable and verify that you can communicate by using the port you specified in the Port field.

      The JDBC configuration port must match the listener port of the Kaspersky database. To be able to communicate with JSA, the Kaspersky database must have incoming TCP connections enabled .

      If you define a database instance that uses MSDE as the database type, you must leave the Port parameter blank in your configuration.

      Table Name

Creating a Database View for Kaspersky Security Center

To collect audit event data, you must create a database view on your Kaspersky server that is accessible to JSA.

To create a database view, you can download the tool, which is available from Kaspersky or use another program that allows you to create database views. The instructions provided below define the steps required to create the view using the Kaspersky Labs tool.

  1. From the Kaspersky Labs website, download the file:

  2. Copy to your Kaspersky Security Center Administration Server.
  3. Extract to a directory.
  4. The following files are included:
    • klsql2.exe

    • src.sql

    • start.cmd

  5. In any text editor, edit the src.sql file.
  6. Clear the contents of the src.sql file.
  7. Type the following Transact-SQL statement to create the database view:

    create view as select e.nId, e.strEventType as 'EventId', e.wstrDescription as 'EventDesc', e.tmRiseTime as 'DeviceTime', h.nIp as 'SourceInt', e.wstrPar1, e.wstrPar2, e.wstrPar3, e.wstrPar4, e.wstrPar5, e.wstrPar6, e.wstrPar7, e.wstrPar8, e.wstrPar9 from dbo.v_akpub_ev_event e, dbo.v_akpub_host h where e.strHostname = h.strName;

  8. Save the src.sql file.
  9. From the command line, navigate to the location of the klsql2 files.
  10. Type the following command to create the view on your Kaspersky Security Center appliance:

    klsql2 -i src.sql -o result.xml

    The view is created. You can now configure the log source in JSA to poll the view for Kaspersky Security Center events.


    Kaspersky Security Center database administrators should ensure that JSA is allowed to poll the database for events using TCP port 1433 or the port configured for your log source. Protocol connections are often disabled on databases by default and additional configuration steps might be required to allow connections for event polling. Any firewalls located between Kaspersky Security Center and JSA should also be configured to allow traffic for event polling.

Exporting Syslog to JSA from Kaspersky Security Center

Configure Kaspersky Security Center to forward syslog events to your JSA Console or Event Collector.

Kaspersky Security Center can forward events that are registered on the Administration Server, Administration Console, and Network Agent appliances.

  1. Log in to Kaspersky Security Center.
  2. In the console tree, expand the Reports and notifications folder.
  3. Right-click Events and select Properties.
  4. In the Exporting events pane, select the Automatically export events to SIEM system database check box.
  5. In the SIEM system list, select JSA.
  6. Type the IP address and port for the JSA Console or Event Collector.
  7. To forward historical data to JSA, click Export archive to export historical data.
  8. Click OK.