Configuring Windows event reception using Kaspersky Endpoint Security for Windows
In KES for Windows, starting from version 12.6, events can be sent from Windows logs to a KUMA collector. In this way, KUMA can get events from Windows logs (a limited set of EventIDs of Microsoft products is supported) from all hosts with KES for Windows 12.6 without installing KUMA agents on such hosts. To activate the functionality, you need:
- A valid KUMA license
- KSC 14.2 or later
- KES for Windows version 12.6 or later
Configuring event receiving consists of the following steps:
- Importing the normalizer into KUMA.
In KUMA, you must configure getting updates through Kaspersky update servers.
Click Import resources and in the list of normalizers available for installation, select [OOTB] Microsoft Products via KES WIN.
- Creating a KUMA collector for receiving Windows events.
To receive Windows events, at the Transport step, select TCP or UDP and specify the port number that the collector must listen on. At the Event parsing step, select the [OOTB] Microsoft Products via KES WIN normalizer. At the Event filtering step, select the [OOTB] Microsoft Products via KES WIN - Event filter for collector filter.
- Requesting a key from Technical Support.
If your license did not include a key for activating the functionality of sending Windows logs to the KUMA collector, send the following message to Technical Support: "We have purchased a KUMA license and are using KES for Windows version 12.6. We want to activate the functionality of sending Windows logs to the KUMA collector. Please provide a key file to activate the functionality." New KUMA users do not need to make a Technical Support request because new users get 2 keys with licenses for KUMA and for activating the KES for Windows functionality.
In response to your message, you will get a key file.
- Configuration on the side of KSC and KES for Windows.
A key file that activates the functionality of sending Windows events to KUMA collectors must be imported into KSC and distributed to KES endpoints in accordance with the instructions. You must also add KUMA server addresses to the KES policy and specify network connection settings.
- Verifying receipt of Windows events in the KUMA collector
You can verify that the Windows event source server is correctly configured in the Searching for related events section of the KUMA web interface.
Microsoft product events transmitted by KES for Windows are listed in the following table:
Event log
Event identifier
System
12
13
7040
7045
42
104
107
109
1074
6005
6006
7034
7036
8003
Security
1102
4614
4649
4696
4698
4704
4706
4713
4715
4717
4720
4723
4724
4725
4726
4727
4728
4729
4738
4739
4740
4741
4742
4756
4757
4765
4766
4767
4768
4769
4770
4771
4775
4776
4778
4780
4781
4794
4817
4876
4877
4882
4885
4886
4887
4890
4891
4898
4904
4905
4928
4950
4964
5136
5137
5138
5139
5141
5142
5143
5144
5155
5376
5377
5632
5888
5890
6416
4622
4648
4662
4672
4697
4702
4719
4732
4733
4798
4946
4947
4948
4949
5145
4616
4625
4663
4624
4799
5140
1008
1105
2722
4615
4618
4626
4627
4634
4647
4653
4654
4656
4657
4658
4659
4660
4661
4664
4666
4667
4670
4673
4674
4688
4689
4690
4691
4692
4693
4694
4695
4699
4700
4701
4703
4705
4707
4714
4716
4718
4730
4731
4734
4737
4743
4744
4745
4746
4747
4748
4749
4750
4751
4752
4753
4754
4755
4758
4759
4760
4761
4762
4763
4764
4772
4773
4774
4777
4779
4782
4783
4784
4785
4786
4787
4788
4789
4790
4791
4792
4793
4797
4800
4801
4802
4803
4818
4819
4820
4821
4822
4823
4824
4825
4826
4865
4866
4867
4868
4869
4870
4871
4872
4873
4874
4875
4883
4884
4888
4892
4893
4896
4906
4907
4908
4911
4912
4913
4929
4930
4931
4932
4933
4935
4944
4945
4951
4953
4956
4957
4958
4981
4982
4983
4984
4985
5024
5031
5033
5039
5049
5051
5056
5057
5058
5059
5060
5061
5063
5064
5065
5066
5067
5068
5069
5070
5071
5122
5123
5146
5147
5152
5153
5154
5156
5157
5158
5159
5168
5378
5379
5380
5381
5382
5447
5448
5451
5452
5459
5461
5472
5474
5477
5478
5483
5484
5633
6144
6145
6272
6273
6274
6276
6278
6279
6280
6281
6410
6419
6420
6421
6422
6423
6424
6889
PowerShell
4100
4103
4104
4105
4106
8193
8194
8197
24577
24595
24596
24597
24598
24599
53249
53250
53504
MS SQL Server
615
919
958
1945
2007
2812
3406
3407
3421
3454
5084
5579
5701
5703
6253
8128
9013
9666
15268
15457
17104
17110
17111
17125
17137
17152
17164
17176
17177
17199
17201
17550
17551
17561
17663
18264
18265
18456
18488
18496
19030
19031
19032
26022
26037
26048
26067
33090
49903
49904
Microsoft Defender
1006
1015
1116
1117
1000
1001
2000
5000
5001
5002
5004
5007
5010
5012
Terminal Server
1149
21
22
24
25
39
40
Microsoft Active Directory Federation Service (AD FS)
106
217
251
335
342
349
358
364
381
385
400
401
417
424
435
436
Sysmon
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
255
Microsoft Active Directory Domain Service (AD DS)
1213
1317
1644
2041
2889