Previous

Next

Kaspersky - Overview

Kaspersky - Network and Web Security

Kaspersky - Threat Detection and Response

Kaspersky - System Audit

Overview

Kaspersky is a cybersecurity solution that detects, analyzes, and responds to advanced threats across multiple endpoints, blocking attacks, extracting threat patterns, and preventing future incidents.

This integration parses the following types of logs:

• Endpoint security application events : Events generated by various Kaspersky endpoint security applications.
• Security center events : Events generated by Kaspersky security center.

Visualize detailed insights into these logs through the out-of-the-box dashboards. Additionally, out-of-the-box detection rules are available to help you monitor and respond to potential security threats effectively.

Setup

Installation

The Kaspersky check is included in the Datadog Agent package. No additional installation is needed on your server.

Configuration

• Syslog configuration over Kaspersky Security Center

  • Configure SIEM system integration for Syslog export using either the Administration Server or the Security Center Web Console. Refer to the links below for detailed instructions on each method

    • Configuring export of events to SIEM system using Administration Console: Configuring export of events to SIEM systems
    • Configuring export of events to SIEM system using Security Center Web Console: Configuring export of events to SIEM systems

• Marking of events for export to SIEM using syslog on Security Center Web Console

  Prerequisite: Ensure that web plugins for Endpoint Security applications are installed.

  1. In the console, on the left menu, click on Assets (Devices) > Policies & profiles.
  2. For each policy Kaspersky Endpoint Security for X(where X represents various operating systems), click on the policy.
  3. In the policy, select the Event configuration tab.
  4. On the left panel, select the section Critical. Select all event types and click on Mark for export to SIEM system by using Syslog.
  5. Follow the same step(step 4) for Warning, Functional failure, Info sections.

  This ensures that all relevant events from Kaspersky Endpoint Security applications are properly exported to the SIEM system via Syslog.

Validation

Run the Agent’s status subcommand and look for kaspersky under the Checks section.

Data Collected

Metrics

Kaspersky does not include any metrics.

Log Collection

1. Collecting logs is disabled by default in the Datadog Agent. Enable it in the datadog.yaml file with:

     logs_enabled: true
   

2. Add this configuration block to your kaspersky.d/conf.yaml file to start collecting your Kaspersky logs. See the sample kaspersky.d/conf.yaml for available configuration options.

     logs:
       - type: tcp
         port: <PORT>
         source: kaspersky
         service: kaspersky
   

   Note:

   • PORT: Port should be similar to the port provided in Syslog configuration over Kaspersky Security Center section.
   • It is recommended not to change the service and source values, as these parameters are integral to the pipeline’s operation.

3. Restart the Agent.

Events

The Kaspersky integration does not include any events.

Service Checks

The Kaspersky integration does not include any service checks.

Troubleshooting

Permission denied while port binding:

If you see a Permission denied error while port binding in the Agent logs:

1. Binding to a port number under 1024 requires elevated permissions. Grant access to the port using the setcap command:

   sudo setcap CAP_NET_BIND_SERVICE=+ep /opt/datadog-agent/bin/agent/agent
   

2. Verify the setup is correct by running the getcap command:

   sudo getcap /opt/datadog-agent/bin/agent/agent
   

   With the expected output:

   /opt/datadog-agent/bin/agent/agent = cap_net_bind_service+ep
   

   Note: Re-run this setcap command every time you upgrade the Agent.

3. Restart the Agent.

Data is not being collected:

Ensure traffic is bypassed from the configured port if the firewall is enabled.

Port already in use:

If you see the Port <PORT_NUMBER> Already in Use error, see the following instructions. The following example is for port 514:

• On systems using Syslog, if the Agent listens for events on port 514, the following error can appear in the Agent logs: Can't start UDP forwarder on port 514: listen udp :514: bind: address already in use. This error occurs because by default, Syslog listens on port 514. To resolve this error, take one of the following steps:
  • Disable Syslog.
  • Configure the Agent to listen on a different, available port.

For further assistance, contact Datadog support.