Kaspersky Unified Monitoring and Analysis Platform

Configuring Linux event reception using Kaspersky Endpoint Security for Linux

In KES for Linux, starting from version 12.2, events can be sent from Linux logs to a KUMA collector. This allows KUMA to receive events from Linux logs from all hosts on which KES for Linux version 12.2 is installed. To activate the functionality, you need:

  • A valid KUMA license
  • KSC 14.2 or later
  • KES for Linux version 12.2 or later

Configuring event receiving consists of the following steps:

  1. Importing the normalizer into KUMA.

    In KUMA, you must configure getting updates through Kaspersky update servers.

    Click Resource import and select [OOTB] KESL syslog cef in the list of available normalizers.

  2. Creating a KUMA collector for receiving Linux events.

    To receive Linux events, at the Transport step, select TCP or UDP and specify the port number that the collector must listen on. At the Event parsing step, select the [OOTB] KESL syslog cef normalizer.

  3. Requesting a key from Technical Support.

    If your license did not include a key for activating the functionality of sending Windows logs to the KUMA collector, send the following message to Technical Support: "We have purchased a KUMA license and are using KES for Linux version 12.2. We want to activate the functionality of sending Linux logs to the KUMA collector. Please provide a key file to activate the functionality." New KUMA users do not need to make a Technical Support request because new users get 2 keys with licenses for KUMA and for activating the KES for Linux functionality.

    In response to your message, you will get a key file.

  4. Configuration on the side of KSC and KES for Linux.

    A key file that activates the functionality of sending Linux events to KUMA collectors must be imported into KSC and distributed to KES endpoints in accordance with the instructions. You must also add KUMA server addresses to the KES policy and specify network connection settings.

  5. Verifying receipt of Linux events in the KUMA collector

    You can verify that the Linux event source server is correctly configured in the Searching for related events section of the KUMA web interface.

    KES for Linux sends the following events:

    • ProcessCreate
    • ProcessTerminate
    • FileChange
    • New user account created
    • User account deleted
    • Group created
    • Group deleted
    • New member added to a group
    • Member removed from the group
    • User password changed
    • Linux authentication performed
    • Linux session started
    • Linux session finished
    • Service started
    • Service stopped
    • Promiscuous mode modified
    • Audit configuration changed
    • Account expiration date changed