Configuring export of KLMS events to KUMA
To configure the export of KLMS events to KUMA:
- Connect to the KLMS server over SSH and go to the Technical Support Mode menu.
- Use the klms-control utility to download the settings to the settings.xml file:
sudo /opt/kaspersky/klms/bin/klms-control --get-settings EventLogger -n -f /tmp/settings.xml
- Make sure that the settings in the /tmp/settings.xml file have the following values; make changes if necessary:
<siemSettings>
<enabled>1</enabled>
<facility>Local1</facility>
...
</siemSettings>
- Apply settings with the following command:
sudo /opt/kaspersky/klms/bin/klms-control --set-settings EventLogger -n -f /tmp/settings.xml
- To send events via UDP, make the following changes to the /etc/rsyslog.conf configuration file:
$WorkDirectory /var/lib/rsyslog
$ActionQueueFileName ForwardToSIEM
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionQueueType LinkedList
$ActionResumeRetryCount -1
local1.* @<<
IP address of the KUMA collector
>:<
port of the collector
>>
If you want to send events over TCP, the last line should be as follows:
local1.* @@<<
IP address of the KUMA collector
>:<
port of the collector
>>
- Save your changes.
- Restart the rsyslog service with the following command:
sudo systemctl restart rsyslog.service