In KES for Windows, starting from version 12.6, events can be sent from Windows logs to a Open Single Management Platform collector. In this way, Open Single Management Platform can get events from Windows logs (a limited set of EventIDs of Microsoft products is supported) from all hosts with KES for Windows 12.6 without installing Open Single Management Platform agents on such hosts. To activate the functionality, you need:
Configuring event receiving consists of the following steps:
In Open Single Management Platform, you must configure getting updates through Kaspersky update servers.
Click Import resources and in the list of normalizers available for installation, select [OOTB] Microsoft Products via KES WIN.
To receive Windows events, at the Transport step, select TCP or UDP and specify the port number that the collector must listen on. At the Event parsing step, select the [OOTB] Microsoft Products via KES WIN normalizer. At the Event filtering step, select the [OOTB] Microsoft Products via KES WIN - Event filter for collector filter.
If your license did not include a key for activating the functionality of sending Windows logs to the Open Single Management Platform collector, send the following message to Technical Support: We have purchased a Open Single Management Platform license and are using KES for Windows version 12.6. We want to activate the functionality of sending Windows logs to the Open Single Management Platform collector. Please provide a key file to activate the functionality. New Open Single Management Platform users do not need to make a Technical Support request because new users get 2 keys with licenses for Open Single Management Platform and for activating the KES for Windows functionality.
In response to your message, you will get a key file.
A key file that activates the functionality of sending Windows events to Open Single Management Platform collectors must be imported into KSC and distributed to KES endpoints in accordance with the instructions. You must also add Open Single Management Platform server addresses to the KES policy and specify network connection settings.
You can verify that the Windows event source server is correctly configured in the Searching for related events section of the Open Single Management Platform web interface.
Microsoft product events transmitted by KES for Windows are listed in the following table:
Event log |
Event ID |
|---|---|
DNS Server |
150 |
DNS Server |
770 |
MSExchange Management |
1 |
Security |
4781 |
Security |
6416 |
Security |
1100 |
Security |
1102 / 517 |
Security |
1104 |
Security |
1108 |
Security |
4610 / 514 |
Security |
4611 |
Security |
4614 / 518 |
Security |
4616 / 520 |
Security |
4622 |
Security |
4624 / 528 / 540 |
Security |
4625 / 529 |
Security |
4648 / 552 |
Security |
4649 |
Security |
4662 |
Security |
4663 |
Security |
4672 / 576 |
Security |
4696 |
Security |
4697 / 601 |
Security |
4698 / 602 |
Security |
4702 |
Security |
4704 / 608 |
Security |
4706 |
Security |
4713/617 |
Security |
4715 |
Security |
4717 / 621 |
Security |
4719 / 612 |
Security |
4720 / 624 |
Security |
4722 / 626 |
Security |
4723 / 627 |
Security |
4724 / 628 |
Security |
4725 / 629 |
Security |
4726 / 630 |
Security |
4727 |
Security |
4728 / 632 |
Security |
4729 / 633 |
Security |
4732 / 636 |
Security |
4733 / 637 |
Security |
4738 / 642 |
Security |
4739/643 |
Security |
4740 / 644 |
Security |
4741 |
Security |
4742 / 646 |
Security |
4756 / 660 |
Security |
4757 / 661 |
Security |
4765 |
Security |
4766 |
Security |
4767 |
Security |
4768 / 672 |
Security |
4769 / 673 |
Security |
4770 |
Security |
4771 / 675 |
Security |
4775 |
Security |
4776 / 680 |
Security |
4778 / 682 |
Security |
4780 / 684 |
Security |
4794 |
Security |
4798 |
Security |
4817 |
Security |
4876 / 4877 |
Security |
4882 |
Security |
4885 |
Security |
4886 |
Security |
4887 |
Security |
4890 |
Security |
4891 |
Security |
4898 |
Security |
4899 |
Security |
4900 |
Security |
4902 |
Security |
4904 |
Security |
4905 |
Security |
4928 |
Security |
4946 |
Security |
4947 |
Security |
4948 |
Security |
4949 |
Security |
4950 |
Security |
4964 |
Security |
5025 |
Security |
5136 |
Security |
5137 |
Security |
5138 |
Security |
5139 |
Security |
5141 |
Security |
5142 |
Security |
5143 |
Security |
5144 |
Security |
5145 |
Security |
5148 |
Security |
5155 |
Security |
5376 |
Security |
5377 |
Security |
5632 |
Security |
5888 |
Security |
5889 |
Security |
5890 |
Security |
676 |
System |
1 |
System |
104 |
System |
1056 |
System |
12 |
System |
13 |
System |
6011 |
System |
7040 |
System |
7045 |
System, Source Netlogon |
5723 |
System, Source Netlogon |
5805 |
Terminal-Services-RemoteConnectionManager |
1149 |
Terminal-Services-RemoteConnectionManager |
1152 |
Terminal-Services-RemoteConnectionManager |
20523 |
Terminal-Services-RemoteConnectionManager |
258 |
Terminal-Services-RemoteConnectionManager |
261 |
Windows PowerShell |
400 |
Windows PowerShell |
500 |
Windows PowerShell |
501 |
Windows PowerShell |
800 |
Application, Source ESENT |
301 |
Application, Source ESENT |
302 |
Application, Source ESENT |
325 |
Application, Source ESENT |
326 |
Application, Source ESENT |
327 |
Application, Source ESENT |
2001 |
Application, Source ESENT |
2003 |
Application, Source ESENT |
2005 |
Application, Source ESENT |
2006 |
Application, Source ESENT |
216 |
Application |
1000 |
Application |
1002 |
Application |
1 / 2 |