Events indexed without sourcetype renaming

[diogofgm]

There are some events that keep the Kaspersky sourcetype after indexing.

[kulcsari]

Hi, Here is the list: GNRL_EV_FULLSCAN_STATUS_NOTIFICATION GNRL_EV_OBJECT_BLOCKED GNRL_EV_OBJECT_CURED KLAUD_EV_OBJECTMODIFY KLAUD_EV_SERVERCONNECT KLNAG_EV_INV_OBS_APP_UNINSTALLED KLNAG_EV_PATCH_INSTALLED_SUCCESSFULLY KLNAG_EV_PATCH_INSTALL_STARTING KLSRV_HOST_MOVED_WITH_RULE_EX KLSRV_HOST_STATUS_CRITICAL KLSRV_HOST_STATUS_WARNING KLSRV_INVISIBLE_HOSTS_REMOVED KLSRV_RUNTIME_ERROR

I didn't found so far a guide to the meanings of this.

[diogofgm]

Me neither when I was building the TA. Can you send me a sanitised example of an event for each one of those? There are a few that I think might be related to the system but others might be related to malware detection.

[kulcsari]

Hi, I will, but unfortunately, it will take time because of my other tasks.

Off: Do you plan to check CEF format sending? There is some interference with CEF header and malware CIM model fields... (Siganture, signature_id, etc)... But without kapsersky experience or guide, not an easy task for me...

[diogofgm]

No problem. I also have my own work to do. 😄 In newer versions of KSC there is an option for sending logs with a "splunk format" which looks like CEF. If I recall correctly, there just few changes I would need to do. But yes, im considering updating the TA to extract the fields if the CEF format is being used. I'm not an expert on Kaspersky either but its just a matter of making sense of the data.

Just a remark: for any other issue, enhancement, suggestion you might have, open an issue here so I can have them tracked and closed after they are done.

[diogofgm]

Thanks Istvan for the file. I'll take a look at this and update the TA

[diogofgm]

The reworked version available in Splunkbase addresses all the missing sourcetype renaming.