Kaspersky - Network and Web Security
Kaspersky - Threat Detection and Response
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Overview
Kaspersky is a cybersecurity solution that detects, analyzes, and responds to advanced threats across multiple endpoints, blocking attacks, extracting threat patterns, and preventing future incidents.
This integration parses the following types of logs:
- Endpoint security application events : Events generated by various Kaspersky endpoint security applications.
- Security center events : Events generated by Kaspersky security center.
Visualize detailed insights into these logs through the out-of-the-box dashboards. Additionally, out-of-the-box detection rules are available to help you monitor and respond to potential security threats effectively.
Setup
Installation
The Kaspersky check is included in the Datadog Agent package.
No additional installation is needed on your server.
Configuration
Syslog configuration over Kaspersky Security Center
Marking of events for export to SIEM using syslog on Security Center Web Console
Prerequisite: Ensure that web plugins for Endpoint Security applications are installed.
- In the console, on the left menu, click on Assets (Devices) > Policies & profiles.
- For each policy Kaspersky Endpoint Security for X(where X represents various operating systems), click on the policy.
- In the policy, select the Event configuration tab.
- On the left panel, select the section Critical. Select all event types and click on Mark for export to SIEM system by using Syslog.
- Follow the same step(step 4) for Warning, Functional failure, Info sections.
This ensures that all relevant events from Kaspersky Endpoint Security applications are properly exported to the SIEM system via Syslog.
Validation
Run the Agent’s status subcommand and look for kaspersky under the Checks section.
Data Collected
Metrics
Kaspersky does not include any metrics.
Log Collection
Collecting logs is disabled by default in the Datadog Agent. Enable it in the datadog.yaml file with:
Add this configuration block to your kaspersky.d/conf.yaml file to start collecting your Kaspersky logs. See the sample kaspersky.d/conf.yaml for available configuration options.
logs:
- type: tcp
port: <PORT>
source: kaspersky
service: kaspersky
Note:
PORT: Port should be similar to the port provided in Syslog configuration over Kaspersky Security Center section.- It is recommended not to change the service and source values, as these parameters are integral to the pipeline’s operation.
Restart the Agent.
Events
The Kaspersky integration does not include any events.
Service Checks
The Kaspersky integration does not include any service checks.
Troubleshooting
Permission denied while port binding:
If you see a Permission denied error while port binding in the Agent logs:
Binding to a port number under 1024 requires elevated permissions. Grant access to the port using the setcap command:
sudo setcap CAP_NET_BIND_SERVICE=+ep /opt/datadog-agent/bin/agent/agent
Verify the setup is correct by running the getcap command:
sudo getcap /opt/datadog-agent/bin/agent/agent
With the expected output:
/opt/datadog-agent/bin/agent/agent = cap_net_bind_service+ep
Note: Re-run this setcap command every time you upgrade the Agent.
Restart the Agent.
Data is not being collected:
Ensure traffic is bypassed from the configured port if the firewall is enabled.
Port already in use:
If you see the Port <PORT_NUMBER> Already in Use error, see the following instructions. The following example is for port 514:
- On systems using Syslog, if the Agent listens for events on port 514, the following error can appear in the Agent logs:
Can't start UDP forwarder on port 514: listen udp :514: bind: address already in use. This error occurs because by default, Syslog listens on port 514. To resolve this error, take one of the following steps:- Disable Syslog.
- Configure the Agent to listen on a different, available port.
For further assistance, contact Datadog support.
