In KES for Linux, starting from version 12.2, events can be sent from Linux logs to a KUMA collector. This allows KUMA to receive events from Linux logs from all hosts on which KES for Linux version 12.2 is installed. To activate the functionality, you need:
Configuring event receiving consists of the following steps:
In KUMA, you must configure getting updates through Kaspersky update servers.
Click Resource import and select [OOTB] KESL syslog cef in the list of available normalizers.
To receive Linux events, at the Transport step, select TCP or UDP and specify the port number that the collector must listen on. At the Event parsing step, select the [OOTB] KESL syslog cef normalizer.
If your license did not include a key for activating the functionality of sending Linux logs to the KUMA collector, send the following message to Technical Support: "We have purchased a KUMA license and are using KES for Linux version 12.2. We want to activate the functionality of sending Linux logs to the KUMA collector. Please provide a key file to activate the functionality." New KUMA users do not need to make a Technical Support request because new users get 2 keys with licenses for KUMA and for activating the KES for Linux functionality.
In response to your message, you will get a key file.
A key file that activates the functionality of sending Linux events to KUMA collectors must be imported into KSC and distributed to KES endpoints in accordance with the instructions. You must also add KUMA server addresses to the KES policy and specify network connection settings.
You can verify that the Linux event source server is correctly configured in the Searching for related events section of the KUMA web interface.
KES for Linux sends the following events: