Configuring a SIEM system

The process of exporting events from Kaspersky Security Center to external SIEM systems involves two parties: an event sender – Kaspersky Security Center and an event receiver – SIEM system. You must set up event export on both sides: in your SIEM system and in Kaspersky Security Center.

The settings you specify in the SIEM system depend on the system you use. Generally, for all SIEM systems you must set up a receiver and, optionally, a message parser to parse received events.

Setting up the receiver

In order to receive events sent by Kaspersky Security Center, set up the receiver in your SIEM system. In general, the following settings must be specified in the SIEM system:

Depending on the SIEM system used, you may have to specify some additional receiver settings.

The following figure shows the receiver setup screen in ArcSight.

arcsight_receiver

Message parsers

Export events are passed to SIEM systems as messages. These messages must be properly parsed so that information on the events can be used by the SIEM system. Message parsers are a part of the SIEM system; they are used to split the contents of the message into the relevant fields, such as event ID, severity, description, parameters and so on. This enables the SIEM system to process events received from Kaspersky Security Center so that they can be stored in the SIEM system database.

Each SIEM system has a set of standard message parsers. Kaspersky Lab also provides message parsers for some SIEM systems, for example, for QRadar and ArcSight. You can download these message parsers from the websites of the corresponding SIEM systems. When configuring the receiver, you can select to use one of the standard message parsers or a message parser from Kaspersky Lab.

Page top