Help
Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

isuru
New Contributor II

Created on ‎05-28-2020 03:13 AM

Kaspersky Security Center Integration

Hi,

I would like to know whether FortiSIEM supports Kaspersky Security Center Syslog collection. I haven't seen anything related to Kaspersky in External Systems Configuration Guide (FortiSIEM Documentation) but configured the syslog forwarding as mentioned in Kaspersky online help (https://help.kaspersky.com/KSC/11/en-US/151333.htm) since there was a parser,
UploadedImages_sCpqYU1RSqJD2jmeOOsA_parser.PNG
But when I look into the parser it is referring to CEF or it is looking for 2 Keywords,

UploadedImages_ZP3DWhgLRMSG3sA3GWPD_cef.PNG

Moreover, in the Kaspersky Security Center it only shows these CEF Formats and Syslog format which I have configured with.

UploadedImages_FbCAS5LQSSinwxSTunlc_format.png
What would be the correct format to choose?

Regards,
Isuru



Cheers,
Isuru Malawige
Cheers,Isuru Malawige
Labels:
2632
0 Kudos
1 Solution
FSM_FTNT
Staff
Staff

Created on ‎05-28-2020 04:31 AM

Hi Isru,

You should be able to send Kaspersky CEF format syslog to FortiSIEM.

The default parser should work, however, this is a slightly modified version and parsing some more fields. Clone the existing parser, paste this new one in. Then make sure you Apply it.

Let me know how you get on.

Thanks

Dan

View solution in original post

Preview file
4 KB
2572
0 Kudos
7 REPLIES 7
Gabe_FTNT
Staff
Staff

Created on ‎05-28-2020 04:19 AM

Hi Isuru

FortiSIEM does not contain a parser for the syslog format as of now, only CEF is supported. I don't know what the difference between ArcSight CEF and Splunk CEF is.
Be aware that Kaspersky CEF log export requires an advanced license from Kaspersky (cf. https://media.kaspersky.com/en/business-security/kaspersky-endpoint-security-for-business-datasheet....). With the select license, Kaspersky will only send out in default "Syslog" format, i.e. non-CEF, and FortiSIEM won't be able to parse it.

Regards,
Gabriel
Gabriel Kälin, Systems Engineer Fortinet | Riedmühlestr. 8 | 8305 Dietlikon | Switzerland | E: gkaelin@fortinet.com | T: +41 79 882 80 98
2572
isuru
New Contributor II
In response to Gabe_FTNT

Created on ‎05-28-2020 08:33 PM

Hi Gabriel,

Thanks for the insight. I will check on the license as well.

Regards,
Isuru
Cheers,
Isuru Malawige
Cheers,Isuru Malawige
2572
0 Kudos
FSM_FTNT
Staff
Staff

Created on ‎05-28-2020 04:31 AM

Hi Isru,

You should be able to send Kaspersky CEF format syslog to FortiSIEM.

The default parser should work, however, this is a slightly modified version and parsing some more fields. Clone the existing parser, paste this new one in. Then make sure you Apply it.

Let me know how you get on.

Thanks

Dan
Preview file
4 KB
2573
0 Kudos
isuru
New Contributor II
In response to FSM_FTNT

Created on ‎05-28-2020 08:34 PM

Hi Daniel,

Thanks for the updated parser. I will check on this and let you know how it goes.

Regards,
Isuru
Cheers,
Isuru Malawige
Cheers,Isuru Malawige
2572
0 Kudos
isuru
New Contributor II
In response to isuru

Created on ‎05-31-2020 08:42 PM

Hi Daniel,

The parser is working. Thanks for the support.

Regards,
Isuru
Cheers,
Isuru Malawige
Cheers,Isuru Malawige
2572
0 Kudos
AlaaAlatrash
New Contributor
In response to FSM_FTNT

Created on ‎08-03-2020 11:49 PM

Hi Daniel,
Can you please share the parser again, I cannot access the attached
Thanks
2572
0 Kudos
FSM_FTNT
Staff
Staff
In response to AlaaAlatrash

Created on ‎08-10-2020 03:20 PM

Hi Alaa, I just downloaded it again from here, it does open in the browser which means you may need to view the page source as it is XML.

Let me know if you are still having issues and I will send you a separate link.

Thanks

Dan

------------------------------
Daniel
------------------------------
2572
0 Kudos
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.