Configuring an ArcSight SmartConnector to collect events

from Kaspersky Admin Kit 8.0

As part of a comprehensive security monitoring program, many organizations have deployed Security
Information Event Management (SIEM) software within their infrastructure to centrally collect and
analyze valuable security and application logs from the variety of systems and applications that
support their business.
When deploying SIEM technology, it is important to identify the systems and applications that will
generate the necessary log information in support of your documented security objectives.
This will usually include the following types of systems and applications; however, this is not a
comprehensive list:
Firewalls
Proxy Servers
VPNs
Authentication
Physical Access Control
Identity Management
Intrusion Detection
Antivirus
Anti-Spam
Application Audit Logs
There are many SIEM vendors in the marketplace such as Q1 Labs, ArcSight, Splunk and Log Logic.
This particular document will focus on the collection of antivirus event information from Kaspersky
Administration Kit 8.0 using the ArcSight (now Hewlett-Packard) SmartConnector technology.
The ArcSight SmartConnector technology is a Java framework used to integrate 3rd party products for
the purposes of collecting event log information and forwarding the collected events to a central server
for storage, real-time analysis, trending and reporting.
The ArcSight SmartConnector framework offers a variety of event collection options, and depending on
the particular application or system, more than one collection method may be available. Which one
you select will depend on the given limitations of the application/system to generate events, and the
needs and capabilities of your IT infrastructure to support a particular method.

Example event log collection methods

SYSLOG Message
SNMP Trap
Native API (e.g. WMI, OPSEC LEA)
File Monitoring (e.g. Flat-file, CSV)
Database (via JDBC/ODBC)

Page 2

Kaspersky Admin Kit 8.0 is capable of generating event notifications when a particular event or
action occurs (e.g. policy change, virus detection, network attack etc). Policy settings allow for
granular control to which events will be logged, which events will generate a notification, or both.

Supported Notification Methods

Email
Network Message (NET SEND)
SNMP
Running an executable file

Supported Event Log Methods

Windows Event Log (Local Client)
Windows Event Log (Administration Server)

For this exercise, Kaspersky Administration Kit 8.0 will be configured via policy to forward client
events to the Kaspersky Administration Server, where they will be logged into the Windows
Applications and Services Logs, using the Kaspersky Event Log which was automatically created
when the Administration Server was installed.
The ArcSight SmartConnector framework, which can be installed remotely, will be installed locally
on the Kaspersky Administration Server, and will be configured to collect events from the Kaspersky
Event Log in real-time, and to store them in a local file for demonstration purposes.
Note: In a production deployment of ArcSight, the events would be forwarded to an ArcSight Logger or
Enterprise Security Manager (ESM) appliance; however, for this exercise a local file destination was chosen
to demonstrate the concept.

Page 3

To enable logging of Kaspersky Anti-Virus events by ArcSight, the following two procedures are required:

1. Configure event logging within Kaspersky Admin Kit

2. Install and Configure the ArcSight SmartConnector framework

Step 1 Configure Kaspersky Event Logging

1. Log in to the Kaspersky Administration Kit

Page 4

2. Using the navigation on the left, expand the Managed Computers object and drill down to the
policy that you would like to enable logging for, in this example, Windows Workstation Policy

3. Right click on the policy to be edited and select Properties

Page 5

4. Click on the Events tab

5. The drop down list displays the four event categories available; Critical event, Error, Warning,
and Info. Each event category has several events whose properties with regards to notification
and logging can be individually configured.

Page 6

6. Select the Event Category and Event Type that you would like to enable logging for, and click on
the Properties button.

7. Select whether you would like the event to be logged to the clients local event log, or the event
log on the Kaspersky Administration Server, or both, then click OK. Note: For this exercise, we
require that the logs be on to the Kaspersky Administration Server.

Page 7

8. Repeat steps 6 and 7 as required for the remaining Event Categories and Event Types. When
finished, click the Apply button to save your changes, then click OK

9. Click on the name of the policy that you were just editing, and change the Policy Status from
Inactive to Active

Page 8

Step 2 Install the ArcSight SmartConnector Framework

1. Download the ArcSight SmartConnector framework and launch the installer by double-clicking on it.
Note: For this exercise, the Microsoft Windows version of the ArcSight SmartConnector framework utilized
was 5.1.1.5782.0
2. When the installer appears, click Next

3. Select the location to install the ArcSight SmartConnector and click Next

Page 9

4. The Choose Install Set window will be displayed, select Typical and click Next

5. Confirm the Shortcut Folder options and click Next

Page 10

6. Confirm your selections and click Install

7. The ArcSight SmartConnector framework will take several minutes to install the Java Runtime
Environment and the necessary SmartConnector agent.

Page 11

8. When prompted to select the SmartConnector Destination, select CEF File and click Next

9. Confirm the Path and File Name that the events will be written to and click Next

Page 12

10. Select the type of SmartConnector to install, Microsoft Windows Event Log Local, and click Next

11. By default, the SmartConnector is configured to collect the Application, System, and Security
event logs.

Page 13

Highlight the defaults and delete them, then type Kaspersky Event Log and click Next

12. Provide a Name, and optional description for this SmartConnector and click Next

Page 14

13. Confirm the options you have selected and click Next

14. The SmartConnector will now be configured. When completed, click Next

Page 15

15. Select whether you would like the SmartConnector to run as a Service or as a Standalone
Application and click Next

16. Confirm the SmartConnector Service Parameters and click Next

Page 16

17. Once the SmartConnector service has been installed, click Finish

18. The ArcSight SmartConnector installation is now complete, click Done

Page 17

19. Launch the Microsoft Windows Services Applet (services.msc) and verify that the newly
installed ArcSight SmartConnector service is running. Start the service if necessary.

20. Generate some Kaspersky events (i.e. download the EICAR test virus at
http://www.eicar.org from a client)

Page 18

21. Launch the Windows Event Viewer and drill down to the Applications and Service Logs, and
click on the Kaspersky Event Log

22. Verify that the events are being written to the Kaspersky Event Log by double clicking on an event

Page 19

23. Verify that the events are being collected by the ArcSight SmartConnector and stored in a file, by
viewing the file created in the destination directory that was specified during the install (e.g. c:\
Program Files\ArcSightSmartConnectors\current\user\agent\cef\2011-04-12-04-33-38.cef)

Page 20

24. Each event will be recorded in the ArcSight Common Event Format (CEF), with each entry
starting with the header CEF:0, and the individual event fields being Pipe Delimited (|)

At this point, the events can be fed into ArcSight, however, normalization and categorization has not
been performed, so although the SIEM can collect and store the events, it will not understand the
meaning of them, or their context.
Categorization of events was outside of the scope of this exercise, which was to demonstrate the
ability to collect the events.

Kaspersky Lab
500 Unicorn Park
Woburn, MA 01801
866.563.3099
[email protected]
www.kaspersky.com
www.threatpost.com
Page 21