Kaspersky Security Center
The JSA DSM for Kaspersky Security Center can retrieve events directly from a database on your Kaspersky Security Center appliance or receive events from the appliance by using syslog.
The following table identifies the specifications for the Kaspersky Security Center DSM:
Specification |
Value |
---|---|
Manufacturer |
Kaspersky |
DSM name |
Kaspersky Security Center |
RPM file name |
DSM-KasperskySecurityCenter-JSA_version-build_number .noarch.rpm |
Protocol |
JDBC: Versions 9.2-10.1 Syslog LEEF: Version 10.1 and later |
Recorded event types |
Antivirus Server Audit |
Automatically discovered? |
No, if you use the JDBC protocol Yes, if you use the syslog protocol |
Includes identity? |
Yes |
Includes custom properties? |
No |
More information |
Kaspersky website (http://www.kaspersky.com) |
To send Kaspersky Security Center events to JSA, complete the following steps:
If automatic updates are not enabled, download and install the most recent version of the following RPMs from the Juniper Downloads onto your JSA console:
DSMCommon RPM
Kaspersky Security Center DSM
Choose one of the following options:
If you use syslog, configure your Kaspersky Security Center to forward events to JSA.
If you use the JDBC protocol, configure a JDBC log source to poll events from your Kaspersky Security Center database.
Create a Kaspersky Security Center log source on the JSA Console. Configure all required parameters, and use the following tables to configure the specific values that are required for Kaspersky Security Center event collection.
If you use syslog, configure the following parameters:
Table 2: Kaspersky Security Center Syslog Log Source Parameters Parameter
Value
Log Source type
Kaspersky Security Center
Protocol Configuration
Syslog
Log Soure Identifier
Type the IP address or host name for the log source as an identifier for events that are collected from your Kaspersky Security Center appliance.
If you use JDBC, configure the following parameters:
Table 3: Kaspersky Security Center JDBC Log Source Parameters Parameter
Value
Log Source Description (Optional)
Type a unique name for the log source.
Log Source type
Kaspersky Security Center
Protocol Configuration
JDBC
Log Source Identifier
Type a name for the log source. The name can't contain spaces and must be unique among all log sources of the log source type that is configured to use the JDBC protocol.
If the log source collects events from a single appliance that has a static IP address or host name, use the IP address or host name of the appliance as all or part of the Log Source Identifier value; for example, 192.168.1.1 or JDBC192.168.1.1. If the log source doesn't collect events from a single appliance that has a static IP address or host name, you can use any unique name for the Log Source Identifier value; for example, JDBC1, JDBC2.
Database Type
MSDE
Database Name
KAV
IP or Hostname
The IP address or host name of the SQL server that hosts the Kaspersky Security Center database.
Port
The default port for MSDE is 1433. You must enable and verify that you can communicate by using the port you specified in the Port field.
The JDBC configuration port must match the listener port of the Kaspersky database. To be able to communicate with JSA, the Kaspersky database must have incoming TCP connections enabled .
If you define a database instance that uses MSDE as the database type, you must leave the Port parameter blank in your configuration.
Username
Type the user name the log source can use to access the Kaspersky Security Center database.
Password
Type the password the log source can use to access the Kaspersky Security Center database.
The password can be up to 255 characters in length.
Confirm Password
Confirm the password that is used to access the database. The confirmation password must be identical to the password entered in the Password field.
Authentication Domain
If you did not select Use Microsoft JDBC, Authentication Domain is displayed.
The domain for MSDE that is a Windows domain. If your network does not use a domain, leave this field blank.
Database Instance
If you have multiple SQL server instances on your database server, type the database instance.
If you use a non-standard port in your database configuration, or block access to port 1434 for SQL database resolution, you must leave the Database Instance parameter blank in your configuration.
Predefined Query
From the list, select Kaspersky Security Center.
Use Prepared Statements
Select the Use Prepared Statements check box.
Prepared statements allow the JDBC protocol source to set up the SQL statement one time, then run the SQL statement many times with different parameters. For security and performance reasons, it is suggested that you use prepared statements.
Clearing this check box requires you to use an alternative method of querying that does not use pre-compiled statements.
Start Date and Time (Optional)
Type the start date and time for database polling.
The Start Date and Time parameter must be formatted as yyyy-MM-dd HH: mm with HH specified by using a 24-hour clock. If the start date or time is clear, polling begins immediately and repeats at the specified polling interval.
Polling Interval
Type the polling interval, which is the amount of time between queries to the view you created. The default polling interval is 10 seconds.
You can define a longer polling interval by appending H for hours or M for minutes to the numeric value. The maximum polling interval is 1 week in any time format. Numeric values that are entered without an H or M poll in seconds.
EPS Throttle
Type the number of Events Per Second (EPS) that you do not want this protocol to exceed. The default value is 20000 EPS.
Use Named Pipe Communication
If you did not select Use Microsoft JDBC, Use Named Pipe Communication is displayed.
MSDE databases require the user name and password field to use a Windows authentication user name and password and not the database user name and password. The log source configuration must use the default that is named pipe on the MSDE database.
Database Cluster Name
If you select the Use Named Pipe Communication check box, the Database Cluster Name parameter is displayed. If you are running your SQL server in a cluster environment, define the cluster name to ensure Named Pipe communication functions properly.
Use NTLMv2
If you did not select Use Microsoft JDBC, Use NTLMv2 is displayed.
This option forces MSDE connections to use the NTLMv2 protocol when they communicate with SQL servers that require NTLMv2 authentication.
If the Use NTLMv2 check box is selected, it has no effect on MSDE connections to SQL servers that do not require NTLMv2 authentication.
Use Microsoft JDBC
If you want to use the Microsoft JDBC driver, you must enable Use Microsoft JDBC
Use SSL
If your connection supports SSL communication, select Use SSL. This option requires extra configuration on your Kaspersky Security Center database and also requires administrators to configure certificates on both appliances.
Microsoft SQL Server Hostname
If you selected Use Microsoft JDBC and Use SSL, the Microsoft SQL Server Hostname parameter is displayed.
You must type the host name for the Microsoft SQL server.
Selecting a parameter value greater than 5 for the Credibility parameter weights your Kaspersky Security Center log source with a higher importance that is compared to other log sources in JSA.
Creating a Database View for Kaspersky Security Center
To collect audit event data, you must create a database view on your Kaspersky server that is accessible to JSA.
To create a database view, you can download the klsql2.zip tool, which is available from Kaspersky or use another program that allows you to create database views. The instructions provided below define the steps required to create the dbo.events view using the Kaspersky Labs tool.
From the Kaspersky Labs website, download the klsql2.zip file:
Copy klsql2.zip to your Kaspersky Security Center Administration Server.
Extract klsql2.zip to a directory.
The following files are included:
klsql2.exe
src.sql
start.cmd
In any text editor, edit the src.sql file.
Clear the contents of the src.sql file.
Type the following Transact-SQL statement to create the dbo.events database view:
create view dbo.events as select e.nId, e.strEventType as 'EventId', e.wstrDescription as 'EventDesc', e.tmRiseTime as 'DeviceTime', h.nIp as 'SourceInt', e.wstrPar1, e.wstrPar2, e.wstrPar3, e.wstrPar4, e.wstrPar5, e.wstrPar6, e.wstrPar7, e.wstrPar8, e.wstrPar9 from dbo.v_akpub_ev_event e, dbo.v_akpub_host h where e.strHostname = h.strName;
Save the src.sql file.
From the command line, navigate to the location of the klsql2 files.
Type the following command to create the view on your Kaspersky Security Center appliance:
klsql2 -i src.sql -o result.xml
The dbo.events view is created. You can now configure the log source in JSA to poll the view for Kaspersky Security Center events.
Note:Kaspersky Security Center database administrators should ensure that JSA is allowed to poll the database for events using TCP port 1433 or the port configured for your log source. Protocol connections are often disabled on databases by default and additional configuration steps might be required to allow connections for event polling. Any firewalls located between Kaspersky Security Center and JSA should also be configured to allow traffic for event polling.
Exporting Syslog to JSA from Kaspersky Security Center
Configure Kaspersky Security Center to forward syslog events to your JSA Console or Event Collector.
Kaspersky Security Center can forward events that are registered on the Administration Server, Administration Console, and Network Agent appliances.
Log in to Kaspersky Security Center.
In the console tree, expand the Reports and notifications folder.
Right-click Events and select Properties.
In the Exporting events pane, select the Automatically export events to SIEM system database check box.
In the SIEM system list, select JSA.
Type the IP address and port for the JSA Console or Event Collector.
Optional: To forward historical data to JSA, click Export archive to export historical data.
Click OK.
Kaspersky Security Center Sample Event Message
Use this sample event messages to verify a successful integration with JSA.
Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.
Kaspersky Security Center sample message when you use the Syslog protocol
This sample event message shows that an EULA violation occurred because no license key was found.
nId: "71339141" EventId: "FSEE_AKPLUGIN_LICENSE_ERROR" EventDesc: "End User License Agreement has been violated. Reason: key file not found. Application functionality: unavailable" DeviceTime: "2019-02-27 16:31:46.0" SourceInt: "3232235847" wstrDisplayName: "KASPERSKYTST" wstrTaskDisplayName: "null" wstrPar1: "1" wstrPar2: "null" wstrPar3: "null" wstrPar4: "null" wstrPar5: "null" wstrPar6: "null" wstrPar7: "null" wstrPar8: "null" wstrPar9: "null"
JSA field name |
Highlighted payload field name |
---|---|
Event ID |
EventId |
Device Time |
DeviceTime |
Source IP |
SourceInt Note:
The value of this field is the integer representation of an IPv4 address. |