Contents
- Publishing program events to a SIEM system
- Extracting the settings from Kaspersky Secure Mail Gateway to an XML file
- Enabling export of events in CEF format
- Content and properties of syslog messages in CEF format
- Values of fields in the body of CEF messages for classes of Settings group events
- Values of fields in the body of CEF messages for classes of Tasks group events
- Values of fields in the body of CEF messages for classes of Import / Export Settings group events
- Values of fields in the body of CEF messages for classes of Backup group events
- Values of fields in the body of CEF messages for classes of Report group events
- Values of fields in the body of CEF messages for classes of License group events
- Values of fields in the body of CEF messages for classes of Rules group events
- Values of fields in the body of CEF messages for classes of Auth group events
- Values of fields in the body of CEF messages for classes of Quarantine group events
- Values of fields in the body of CEF messages for classes of Update group events
- Values of fields in the body of CEF messages for classes of ScanLogic group events
- Values of fields in the body of CEF messages for classes of Appliance group events
- Disabling export of events in CEF format
- Applying new values to settings of Kaspersky Secure Mail Gateway
Publishing program events to a SIEM system
Kaspersky Secure Mail Gateway can publish program events to a SIEM system that is already in use in your organization over the Syslog protocol.
A SIEM system (Security Information and Event Management) is a solution for managing information and events within an organization's security system.
Information about each program event is relayed as a separate syslog message in CEF format (hereinafter also referred to as a CEF message).
A CEF message containing event information is relayed immediately after the event occurs. Exceptions to this rule are classes of ScanLogic group events; CEF messages of these classes are relayed after email messages are processed by the ScanLogic module.
By default, export of CEF messages in the program is disabled.
Extracting the settings from Kaspersky Secure Mail Gateway to an XML file
To extract the settings from Kaspersky Secure Mail Gateway to an XML file, run the following command:
# sudo /opt/kaspersky/klms/bin/klms-control \
--get-settings EventLogger -n [-f|--file <file-name>]
After the command is executed, the CEF message export settings will be extracted to the XML file. The -f|--file <file-name> parameter specifies the XML file containing these settings.
Enabling export of events in CEF format
Before enabling export of events in CEF format, it is recommended to specify a category (facility) for syslog that is not used by other programs on the server.
To enable export of events in CEF format:
- Open the XML file containing the extracted settings of the klms-control utility.
- If you want to select the syslog category (facility) to which the events will be exported, in the opened file in the
<siemSettings>section, specify one of the following values of the<facility>parameter:AuthAuthprivCronDaemonFtpLprMailNewsSyslogUserUucpLocal0Local1Local2Local3Local4Local5Local6Local7
By default, the value is set to
Mail.Example:
<siemSettings><enabled>0</enabled><facility>Local0</facility> - In the opened file, in the
<siemSettings>section, set the value of the<enabled>parameter to1.Example:
<siemSettings><enabled>1</enabled>
Content and properties of syslog messages in CEF format
Information about each detected event is relayed as a separate syslog message in CEF format with UTF-8 encoding.
A message in CEF format consists of a message body and header. The message header contains the CEF format version and general information about the event, including the vendor, name and version of the program, the name, importance and class of the detected event, and the time when the event was detected. The message body consists of a sequence of <key>=<value> pairs.
Example:
|
The maximum size of a syslog message about a detected event depends on the values of syslog settings on the server on which Kaspersky Secure Mail Gateway is installed. You can configure forwarding of syslog messages to only one external syslog server simultaneously.
Page topValues of fields in the body of CEF messages for classes of Settings group events
In the body of CEF messages for classes of Setting group events, you can use keys in accordance with their semantics (see the table below).
Permissible values of the fields for classes of Settings group events
Key |
Value |
|---|---|
cn1 |
Task number (from klms-control). |
cn1Label |
Its value is always |
cs1 |
Task name (from klms-control). |
cs1Label |
Its value is always |
duser |
The user whose settings were changed. |
suser |
The user who changed the settings. |
act |
Action performed on the settings. Permissible values: |
Each class of Settings group events can contain only keys that are relevant to it (see the table below).
Relevant keys for classes of Settings group events
Event class |
Relevant keys |
|---|---|
LMS_EV_SETTINGS_CHANGED |
cn1, cn1Label, cs1, cs1Label, act |
LMS_EV_ALL_SETTINGS_CHANGED |
suser |
LMS_EV_PERSONAL_SETTINGS_CHANGED |
suser, duser |
Values of fields in the body of CEF messages for classes of Tasks group events
In the body of CEF messages for classes of Tasks group events, you can use keys in accordance with their semantics (see the table below).
Permissible values of the fields for classes of Tasks group events
Key |
Value |
|---|---|
deviceProcessName |
Task name (from klms-control). |
cnt |
The number of failures during the past 5 minutes. |
reason |
Description of the error. |
outcome |
Description of the result. |
cs1 |
Program operating mode ( |
cs1Label |
Its value is always |
Each class of Tasks group events can contain only keys that are relevant to it (see the table below).
Relevant keys for classes of Tasks group events
Event class |
Relevant keys |
|---|---|
LMS_EV_PROCESS_CRASHED |
deviceProcessName, cnt |
LMS_EV_RESTARTED |
deviceProcessName, cnt |
LMS_EV_PRODUCT_STARTED |
cs1, cs1Label |
Values of fields in the body of CEF messages for classes of Import / Export Settings group events
In the body of CEF messages for classes of Import / Export Settings group events, you can use keys in accordance with their semantics (see the table below).
Permissible values of the fields for classes of Import / Export Settings group events
Key |
Value |
|---|---|
cs1 |
List of categories of imported settings. |
cs1Label |
Its value is always |
reason |
Description of the error. |
outcome |
Result of import / export. |
Each class of Import / Export Settings group events can contain only keys that are relevant to it (see the table below).
Relevant keys for classes of Import / Export Settings group events
Event class |
Relevant keys |
|---|---|
LMS_EV_EXPORT_SETTINGS |
outcome, reason |
LMS_EV_IMPORT_SETTINGS |
outcome, reason, cs1, cs1Label |
Values of fields in the body of CEF messages for classes of Backup group events
In the body of CEF messages for classes of Backup group events, you can use keys in accordance with their semantics (see the table below).
Permissible values of fields for classes of Backup group events
Key |
Value |
|---|---|
cn1 |
Message size. |
cn1Label |
Its value is always |
cn2 |
Maximum size of Backup. |
cn2Label |
Its value is always |
cn3 |
Number of messages in Backup. |
cn3Label |
Its value is always |
cs1 |
ID of the message in Backup. |
cs1Label |
Its value is always |
cnt |
Number of errors during the past 10 minutes. |
act |
Action to perform on the message in Backup (deliver / delete). |
suser |
The user who performed the action on the message in Backup. |
cs2 |
Anti-Virus scan status. |
cs2Label |
Its value is always |
cs3 |
Status of Anti-Spam protection. |
cs3Label |
Its value is always |
cs4 |
Status of Anti-Phishing protection. |
cs4Label |
Its value is always |
cs5 |
Name of the malicious object. |
cs5Label |
Its value is always |
cs6 |
Status of content filtering. |
cs6Label |
Its value is always |
duser |
List of message recipients. |
reason |
Description of the error. |
outcome |
Result of Backup Digest event: |
Each class of Backup group events can contain only keys that are relevant to it (see the table below).
Relevant keys for classes of Backup group events
Event class |
Relevant keys |
|---|---|
LMS_EV_BACKUP_ADD_ERROR |
cs1, cs1Label, cnt |
LMS_EV_BACKUP_ROTATE_ERROR |
reason, cnt |
LMS_EV_BACKUP_ALMOST_FULL |
cn1, cn1Label, cn2, cn2Label, cn3Label |
LMS_EV_BACKUP_MESSAGE_RESTORE |
cs1, cs1Label, act, suser, cs2, cs2Label, cs3Label, cs4, cs4Label, cs5, cs5Label, cs6, cs6Label, duser |
Values of fields in the body of CEF messages for classes of Report group events
In the body of CEF messages for classes of Report group events, you can use keys in accordance with their semantics (see the table below).
Permissible values of the fields for classes of Report group events
Key |
Value |
|---|---|
cs1 |
Report type. |
cs1Label |
Its value is always |
cs2 |
Period. |
cs2Label |
Its value is always |
fname |
Report file name. |
Each class of Report group events can contain only keys that are relevant to it (see the table below).
Relevant keys for classes of Report group events
Event class |
Relevant keys |
|---|---|
LMS_EV_REPORT_CREATING_ERROR |
cs1, cs1Label, cs2, cs2Label |
LMS_EV_REPORT_CREATED |
cs2, cs2Label, fname |
Values of fields in the body of CEF messages for classes of License group events
In the body of CEF messages for classes of License group events, you can use keys in accordance with their semantics (see the table below).
Permissible values of the fields for classes of License group events
Key |
Value |
|---|---|
cs1 |
License serial number. |
cs1Label |
Its value is always |
cs2 |
Modes of Kaspersky Secure Mail Gateway operation under license |
cs2Label |
Its value is always |
cs3 |
License type. |
cs3Label |
Its value is always |
cn1 |
Number of days until license expiration. |
cn1Label |
Its value is always |
reason |
Description of the error. |
deviceCustomDate1 |
License expiration date. |
deviceCustomDate1Label |
Its value is always |
Each class of License group events can contain only keys that are relevant to it (see the table below).
Relevant keys for classes of License group events
Event class |
Relevant keys |
|---|---|
LMS_EV_LICENSE_OK |
cs1, cs1Label, cs2, cs2Label |
LMS_EV_LICENSE_INVALID |
cs1, cs1Label, reason |
LMS_EV_NO_LICENSE |
No value |
LMS_EV_LICENSE_BLACKLISTED |
cs1, cs1Label |
LMS_EV_LICENSE_TRIAL_EXPIRED |
cs1, cs1Label, deviceCustomDate1, deviceCustomDate1Label |
LMS_EV_LICENSE_EXPIRED |
cs1, cs1Label, deviceCustomDate1, deviceCustomDate1Label |
LMS_EV_LICENSE_ERROR |
reason |
LMS_EV_LICENSE_INSTALLED |
cs1, cs1Label, cs2, cs2Label, cs3, cs3Label |
LMS_EV_LICENSE_UPDATED |
cs1, cs1Label, cs2, cs2Label, cs3, cs3Label, deviceCustomDate1, deviceCustomDate1Label |
LMS_EV_GRACE_PERIOD |
cs1, cs1Label, cn1, cn1Label |
LMS_EV_LICENSE_REVOKED |
cs1, cs1Label |
LMS_EV_LICENSE_EXPIRES_SOON |
cs1, cs1Label, cn1, cn1Label |
Values of fields in the body of CEF messages for classes of Rules group events
In the body of CEF messages for classes of Rules group events, you can use keys in accordance with their semantics (see the table below).
Permissible values of the fields for classes of Rules group events
Key |
Value |
|---|---|
cs1 |
Rule name. |
cs1Label |
Its value is always |
cn1 |
Rule ID. |
cn1Label |
Its value is always |
act |
Action on the rule ( |
Each class of Rules group events can contain only keys that are relevant to it (see the table below).
Relevant keys for classes of Rules group events
Event class |
Relevant keys |
|---|---|
LMS_EV_RULE_CHANGED |
cs1, cs1Label, cn1, cn1Label, act |
LMS_EV_ALL_RULES_IMPORTED |
No value |
Values of fields in the body of CEF messages for classes of Auth group events
In the body of CEF messages for classes of Auth group events, you can use keys in accordance with their semantics (see the table below).
Permissible values of the fields for classes of Auth group events
Key |
Value |
|---|---|
cs1 |
Integration type (LDAP). |
cs1Label |
Its value is always |
cn1 |
Number of seconds the server was unavailable. |
cn1Label |
Its value is always |
reason |
Description of the error. |
start |
Start of the period of LDAP server unavailability. |
end |
End of the period of LDAP server unavailability. |
rt |
Time of the first event. |
deviceServiceName |
Service name. |
Each class of Auth group events can contain only keys that are relevant to it (see the table below).
Relevant keys for classes of Auth group events
Event class |
Relevant keys |
|---|---|
LMS_EV_EXT_DIR_REPORT_FOR_PERIOD |
rt, cs1, cs1Label, deviceServiceName, start, end |
LMS_EV_EXT_DIR_SERVICE_ERROR |
cs1, cs1Label, deviceServiceName, reason, cn1, cn1Label |
LMS_EV_EXT_DIR_SERVICE_UP |
No value |
LMS_EV_EXT_DIR_SERVICE_DISABLED |
No value |
Values of fields in the body of CEF messages for classes of Quarantine group events
In the body of CEF messages for classes of Quarantine group events, you can use keys in accordance with their semantics (see the table below).
Permissible values of the fields for classes of Quarantine group events
Key |
Value |
|---|---|
cs1 |
Message ID. |
cs1Label |
Its value is always |
cs2 |
List of rules separated with commas. |
cs2Label |
Its value is always |
cs3 |
Account under which the action was performed on the message. |
cs3Label |
Its value is always |
src |
IP address from which the message was received. |
duser |
List of message recipients. |
suser |
Mail sender. |
act |
Action performed on the message ( |
Each class of Quarantine group events can contain only keys that are relevant to it (see the table below).
Relevant keys for classes of Quarantine group events
Event class |
Relevant keys |
|---|---|
LMS_EV_ASP_QUARANTINE |
cs1, cs1Label, src, suser, cs3, cs3Label, act |
LMS_EV_KATA_QUARANTINE |
cs1, cs1Label, cs2, cs2Label, suser, duser, act, cs3, cs3Label |
Values of fields in the body of CEF messages for classes of Update group events
In the body of CEF messages for classes of Update group events, you can use keys in accordance with their semantics (see the table below).
Permissible values of the fields for classes of Update group events
Key |
Value |
|---|---|
reason |
Reason for the event. |
cn1 |
Number of days. |
cn1Label |
Its value is always |
cn2 |
Number of hours. |
cn2Label |
Its value is always |
cnt |
Number of records in databases. |
deviceCustomDate1 |
Database publication date. |
deviceCustomDate1Label |
Its value is always |
deviceCustomDate2 |
Index publication date. |
deviceCustomDate2Label |
Its value is always |
Each class of Update group events can contain only keys that are relevant to it (see the table below).
Relevant keys for classes of Update group events
Event class |
Relevant keys |
|---|---|
LMS_EV_ANTIVIRUS_BASES_UPDATED |
reason |
LMS_EV_ANTISPAM_BASES_UPDATED |
No value |
LMS_EV_BASES_NOTHING_TO_UPDATE |
No value |
LMS_EV_ANTIVIRUS_BASES_UP_TO_DATE |
No value |
LMS_EV_ANTIPHISHING_BASES_UP_TO_DATE |
No value |
LMS_EV_ANTISPAM_BASES_UP_TO_DATE |
No value |
LMS_EV_ANTIVIRUS_BASES_OUT_OF_DATE |
cn1, cn1Label |
LMS_EV_ANTIPHISHING_BASES_OUT_OF_DATE |
cn1, cn1Label |
LMS_EV_ANTISPAM_BASES_OUT_OF_DATE |
cn2, cn2Label |
LMS_EV_ANTIVIRUS_BASES_OBSOLETED |
cn1, cn1Label |
LMS_EV_ANTIPHISHING_BASES_OBSOLETED |
cn1, cn1Label |
LMS_EV_ANTISPAM_BASES_OBSOLETED |
cn1, cn1Label |
LMS_EV_ANTIVIRUS_BASES_APPLIED |
deviceCustomDate2, deviceCustomDate2Label, cnt, deviceCustomDate1, deviceCustomDate1Label |
LMS_EV_ANTISPAM_BASES_APPLIED |
deviceCustomDate1, deviceCustomDate1Label |
LMS_EV_ANTIPHISHING_BASES_APPLIED |
deviceCustomDate1, deviceCustomDate1Label |
LMS_EV_ANTIVIRUS_BASES_ERROR |
reason |
LMS_EV_ANTISPAM_BASES_ERROR |
reason |
LMS_EV_ANTIPHISHING_BASES_ERROR |
reason |
Values of fields in the body of CEF messages for classes of ScanLogic group events
In the body of CEF messages for classes of ScanLogic group events, you can use keys in accordance with their semantics (see the table below).
Permissible values of the fields for classes of ScanLogic group events
Event class |
Key |
Value |
|---|---|---|
All ScanLogic group classes |
cs1 |
Message ID. |
cs1Label |
Its value is always |
|
src |
IP address of the server from which the message was received. |
|
act |
Action. |
|
fsize |
Message size. |
|
suser |
Mail sender. |
|
duser |
List of message recipients. |
|
reason |
Reason for the event. |
|
cs2 |
List of rules. |
|
cs2Label |
Its value is always |
|
outcome |
Scan status. |
|
cs3 |
List of recipients of the detected message (from the Skip action). |
|
cs3Label |
Its value is always |
|
fname |
File name. |
|
LMS_EV_SCAN_LOGIC_AS_STATUS LMS_EV_SCAN_LOGIC_AP_STATUS |
cs4 |
Detection method. |
cs4Label |
Its value is always |
|
LMS_EV_SCAN_LOGIC_MA_STATUS |
cs4 |
SPF verdict. |
cs4Label |
Its value is always |
|
cs5 |
DKIM verdict. |
|
cs5Label |
Its value is always |
|
cs6 |
DMARC verdict. |
|
cs6Label |
Its value is always |
|
LMS_EV_SCAN_LOGIC_KT_STATUS |
suser |
Name of the user account that extracted the message from KATA Quarantine. |
cs4 |
Reason for skipping the scan. |
|
cs4Label |
Its value is always |
|
LMS_EV_SCAN_LOGIC_CF_STATUS |
cs4 |
|
cs4Label |
Its value is always |
|
LMS_EV_SCAN_LOGIC_PART_RESULT |
cn1 |
Number of objects. |
cn1Label |
Its value is always |
|
cs2 |
List of rules. |
|
cs2Label |
Its value is always |
|
cs3 |
Unscanned files. |
|
cs3Label |
Its value is always |
|
cs4 |
Names of threats. |
|
cs4Label |
Its value is always |
|
cs5 |
Name of the blocked file. |
|
cs5Label |
Its value is always |
|
cs6 |
Format of the blocked file. |
|
cs6Label |
Its value is always |
Each class of ScanLogic group events can contain only keys that are relevant to it (see the table below).
Relevant keys for classes of ScanLogic group events
Event class |
Relevant keys |
|---|---|
LMS_EV_SCAN_LOGIC_ALL_NOT_PROCESSED |
cs1, cs1Label, src, act, fsize, suser, duser |
LMS_EV_SCAN_LOGIC_AS_STATUS |
cs1, cs1Label, src, act, fsize, suser, duser, cs2, cs2Label |
LMS_EV_SCAN_LOGIC_AV_STATUS |
cs1, cs1Label, src, act, fsize, suser, duser, cs2, cs2Label, cs3, cs3Label, reason, outcome |
LMS_EV_SCAN_LOGIC_AP_STATUS |
cs1, cs1Label, src, act, fsize, suser, duser, cs2, cs2Label, cs3, cs3Label, reason, cs4, cs4Label, outcome |
LMS_EV_SCAN_LOGIC_KT_STATUS |
cs1, cs1Label, src, act, fsize, suser, duser, cs2, cs2Label, cs3, cs3Label, reason, suser, outcome |
LMS_EV_SCAN_LOGIC_MA_STATUS |
cs1, cs1Label, src, act, fsize, suser, duser, cs2, cs2Label, cs3, cs3Label, reason, cs4, cs4Label, cs5, cs5Label, cs6, cs6Label, outcome |
LMS_EV_SCAN_LOGIC_CF_STATUS |
cs1, cs1Label, src, act, fsize, suser, duser, cs2, cs2Label, cs3, cs3Label, reason, cs4, cs4Label, outcome |
LMS_EV_SCAN_LOGIC_PART_RESULT |
cs1, cs1Label, cn1, cn1Label, fname, act, cn2, cn2Label, reason, cs2, cs2Label, cs3, cs3Label, cs4, cs4Label, cs5, cs5Label, cs6, cs6Label, outcome |
LMS_EV_SCAN_LOGIC_MESSAGE_BACKUP |
cs1, cs1Label, src, act, fsize, suser, duser, reason, cs2, cs2Label |
Values of fields in the body of CEF messages for classes of Appliance group events
In the body of CEF messages for classes of Appliance group events, you can use keys in accordance with their semantics (see the table below).
Permissible values of fields for classes of Appliance group events
Key |
Value |
|---|---|
cs1 |
Name of the queue. |
cs1Label |
Its value is always |
cs2 |
Status of the incoming message queue. |
cs2Label |
Its value is always |
cs3 |
Status of the outgoing message queue. |
cs3Label |
Its value is always |
cs4 |
User name. |
cs4Label |
Its value is always |
cs5 |
List of changed values. |
cs5Label |
Its value is always |
cn1 |
Message ID. |
cn1Label |
Its value is always |
cn2 |
Size of the queue. |
cn2Label |
Its value is always |
rt |
Time of message receipt. |
suser |
Mail sender. |
duser |
List of message recipients. |
outcome |
Result of the action. |
reason |
Description of the error. |
fname |
Name of the new file. |
oldFileName |
Name of the old file. |
Each class of Appliance group events can contain only keys that are relevant to it (see the table below).
Relevant keys for classes of Appliance group events
Event class |
Relevant keys |
|---|---|
LMS_EV_MTA_MESSAGE_FLUSH |
cn1, cn1Label, cs1, cs1Label, cn2, cn2Label, rt, suser, duser, outcome, reason |
LMS_EV_MTA_MESSAGE_DELETE |
cn1, cn1Label, cs1, cs1Label, cn2, cn2Label, rt, suser, duser, outcome, reason |
LMS_EV_MTA_ALL_MESSAGES_FLUSH |
outcome, reason |
LMS_EV_MTA_ALL_MESSAGES_DELETE |
outcome, reason, cs1, cs1Label |
LMS_EV_MTA_STATUS_CHANGE |
cs5, cs5Label, cs2, cs2Label, cs3, cs3Label, outcome, reason |
LMS_EV_TLS_CERT_CHANGED |
cs4, cs4Label, oldFileName, fname |
Disabling export of events in CEF format
To disable export of events in CEF format:
- Open the XML file containing the extracted settings of the klms-control program management utility.
- In the opened file, in the
<siemSettings>section, set the value of the<enabled>parameter to0.Example:
<siemSettings><enabled>0</enabled>
Applying new values to settings of Kaspersky Secure Mail Gateway
To apply settings from an XML file to Kaspersky Secure Mail Gateway, run the following command:
# sudo /opt/kaspersky/klms/bin/klms-control \
--set-settings EventLogger -n [-f|--file <file-name>]
After the command is executed, the CEF message export settings will be applied to Kaspersky Secure Mail Gateway. The -f|--file <file-name> parameter specifies the XML file containing these settings.