AlienVault® USM Anywhere™

Kaspersky Security Center

When you configure Kaspersky Security Center to send log data to USM Anywhere, you can use the Kaspersky Security Center CEF plugin to translate the raw log data into normalized events for analysis.

Device Details
Vendor Kaspersky
Device Type Management platform
Connection Type Syslog

Integrating Kaspersky Security Center

Before you configure the Kaspersky Security Center integration, you must have the IP Address of the USM Anywhere Sensor.

To configure Kaspersky Security Center to forward log data over Syslog to USM Anywhere

  1. Log in to the Kaspersky Security Center.
  2. In the Console Tree, expand the Reports and notifications folder.
  3. Right-click Event and select Properties.
  4. On the Events Properties page, select Automatically export events to SIEM system database in the Exporting events section.
  5. In the SIEM system list, select the system to which you want to export events.

    By default, the ArcSight system is selected.

  6. Type the IP address of the USM Anywhere Sensor and port 514 in the corresponding fields.
  7. (Optional) To export historical data to USM Anywhere, click Export archive.

    Note: By default, the Kaspersky Security Center forwards events starting from the current date.

  8. Click OK.

Plugin Enablement

The Kaspersky Security Center plugin automatically processes all messages whose syslog tag matches one of the following values:

  • klactprx
  • kladminserver
  • kldumper
  • klnagent
  • klsecuritycenter
  • klwebsrv

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. The USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • application

  • audit_reason

  • customfield_0

  • customfield_1

  • customheader_0

  • customheader_1

  • destination_hostname

  • device_nt_domain

  • email_sender

  • email_subject

  • event_description

  • event_name

  • event_outcome

  • file_path

  • highlight_fields

  • malware_variant

  • plugin_device

  • plugin_rule

  • request_url

  • security_group_name

  • source_hostname

  • source_process

  • source_process_id

  • source_user_privileges

  • source_username

  • timestamp_occured

  • transient

Additional Resources and Troubleshooting

For vendor documentation, visit the vendor's website and look for the Kaspersky Lab v10 Administrator's Guide. 

For troubleshooting, refer to the vendor documentation: