We are going to export all malware events that kasperky generates to a Syslog server that runs Wazuh Agent.
Why? - because you can export in this format even if you don't have the superior license for Endpoint Protection Using a syslog (rsyslog) to write log files from KSC and the Wazuh Agent sending then to Wazuh
Because Kasperky syslog is way too indistinguishable, the only way that a I got to work out was to create a template in Rsyslog:
In Rsyslog server:
- modify the
/etc/rsyslog.conf - create a logrotate in
/etc/logrotate.d/rsyslog, to maintain space - systemctl restart rsyslog.service
In wazuh agent:
- modify the
/var/ossec/etc/ossec.conf, to make the agent read the syslog archive - systemctl restart wazuh-agent
In Wazuh server:
- create the decoder
- create the rules
- systemctl restart wazuh-manager
The files in this repo contains an explanation for each one of them.
