Kaspersky Unified Monitoring and Analysis Platform

Configuring Windows event reception using Kaspersky Endpoint Security for Windows

In KES for Windows, starting from version 12.6, events can be sent from Windows logs to a KUMA collector. In this way, KUMA can get events from Windows logs (a limited set of EventIDs of Microsoft products is supported) from all hosts with KES for Windows 12.6 without installing KUMA agents on such hosts. To activate the functionality, you need:

• A valid KUMA license
• KSC 14.2 or later
• KES for Windows version 12.6 or later

Configuring event receiving consists of the following steps:

1. Importing the normalizer into KUMA.

   In KUMA, you must configure getting updates through Kaspersky update servers.

   Click Import resources and in the list of normalizers available for installation, select [OOTB] Microsoft Products via KES WIN.

2. Creating a KUMA collector for receiving Windows events.

   To receive Windows events, at the Transport step, select TCP or UDP and specify the port number that the collector must listen on. At the Event parsing step, select the [OOTB] Microsoft Products via KES WIN normalizer. At the Event filtering step, select the [OOTB] Microsoft Products via KES WIN - Event filter for collector filter.

3. Requesting a key from Technical Support.

   If your license did not include a key for activating the functionality of sending Windows logs to the KUMA collector, send the following message to Technical Support: "We have purchased a KUMA license and are using KES for Windows version 12.6. We want to activate the functionality of sending Windows logs to the KUMA collector. Please provide a key file to activate the functionality." New KUMA users do not need to make a Technical Support request because new users get 2 keys with licenses for KUMA and for activating the KES for Windows functionality.

   In response to your message, you will get a key file.

4. Configuration on the side of KSC and KES for Windows.

   A key file that activates the functionality of sending Windows events to KUMA collectors must be imported into KSC and distributed to KES endpoints in accordance with the instructions. You must also add KUMA server addresses to the KES policy and specify network connection settings.

5. Verifying receipt of Windows events in the KUMA collector

   You can verify that the Windows event source server is correctly configured in the Searching for related events section of the KUMA web interface.

   Microsoft product events transmitted by KES for Windows are listed in the following table:

   Event log	Event identifier
   DNS Server	150
   DNS Server	770
   MSExchange Management	1
   Security	4781
   Security	6416
   Security	1100
   Security	1102 / 517
   Security	1104
   Security	1108
   Security	4610 / 514
   Security	4611
   Security	4614 / 518
   Security	4616 / 520
   Security	4622
   Security	4624 / 528 / 540
   Security	4625 / 529
   Security	4648 / 552
   Security	4649
   Security	4662
   Security	4663
   Security	4672 / 576
   Security	4696
   Security	4697 / 601
   Security	4698 / 602
   Security	4702
   Security	4704 / 608
   Security	4706
   Security	4713 / 617
   Security	4715
   Security	4717 / 621
   Security	4719 / 612
   Security	4720 / 624
   Security	4722 / 626
   Security	4723 / 627
   Security	4724 / 628
   Security	4725 / 629
   Security	4726 / 630
   Security	4727
   Security	4728 / 632
   Security	4729 / 633
   Security	4732 / 636
   Security	4733 / 637
   Security	4738 / 642
   Security	4739 / 643
   Security	4740 / 644
   Security	4741
   Security	4742 / 646
   Security	4756 / 660
   Security	4757 / 661
   Security	4765
   Security	4766
   Security	4767
   Security	4768 / 672
   Security	4769 / 673
   Security	4770
   Security	4771 / 675
   Security	4775
   Security	4776 / 680
   Security	4778 / 682
   Security	4780 / 684
   Security	4794
   Security	4798
   Security	4817
   Security	4876 / 4877
   Security	4882
   Security	4885
   Security	4886
   Security	4887
   Security	4890
   Security	4891
   Security	4898
   Security	4899
   Security	4900
   Security	4902
   Security	4904
   Security	4905
   Security	4928
   Security	4946
   Security	4947
   Security	4948
   Security	4949
   Security	4950
   Security	4964
   Security	5025
   Security	5136
   Security	5137
   Security	5138
   Security	5139
   Security	5141
   Security	5142
   Security	5143
   Security	5144
   Security	5145
   Security	5148
   Security	5155
   Security	5376
   Security	5377
   Security	5632
   Security	5888
   Security	5889
   Security	5890
   Security	676
   System	1
   System	104
   System	1056
   System	12
   System	13
   System	6011
   System	7040
   System	7045
   System, Source Netlogon	5723
   System, Source Netlogon	5805
   Terminal-Services-RemoteConnectionManager	1149
   Terminal-Services-RemoteConnectionManager	1152
   Terminal-Services-RemoteConnectionManager	20523
   Terminal-Services-RemoteConnectionManager	258
   Terminal-Services-RemoteConnectionManager	261
   Windows PowerShell	400
   Windows PowerShell	500
   Windows PowerShell	501
   Windows PowerShell	800
   Application, Source ESENT	301
   Application, Source ESENT	302
   Application, Source ESENT	325
   Application, Source ESENT	326
   Application, Source ESENT	327
   Application, Source ESENT	2001
   Application, Source ESENT	2003
   Application, Source ESENT	2005
   Application, Source ESENT	2006
   Application, Source ESENT	216
   Application	1000
   Application	1002
   Application	1 / 2