Metadata-Version: 2.1
Name: datadog-kaspersky
Version: 1.0.0
Summary: The Kaspersky check
Project-URL: Source, https://github.com/DataDog/integrations-core
Author-email: Datadog <packages@datadoghq.com>
Keywords: datadog,datadog agent,datadog check,kaspersky
Classifier: Development Status :: 5 - Production/Stable
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: System Administrators
Classifier: License :: OSI Approved :: BSD License
Classifier: Private :: Do Not Upload
Classifier: Programming Language :: Python :: 3.12
Classifier: Topic :: System :: Monitoring
Requires-Dist: datadog-checks-base>=4.2.0
Provides-Extra: deps
Description-Content-Type: text/markdown

# Agent Integration: Kaspersky

## Overview

[Kaspersky][4] is a cybersecurity solution that detects, analyzes, and responds to advanced threats across multiple endpoints, blocking attacks, extracting threat patterns, and preventing future incidents.


This integration parses the following types of logs:
- **Endpoint security application events** : Events generated by various Kaspersky endpoint security applications.
- **Security center events** : Events generated by Kaspersky security center.

Visualize detailed insights into these logs through the out-of-the-box dashboards. Additionally, out-of-the-box detection rules are available to help you monitor and respond to potential security threats effectively.

## Setup

### Installation

The Kaspersky check is included in the [Datadog Agent][2] package.
No additional installation is needed on your server.

### Configuration

  - #### Syslog configuration over Kaspersky Security Center
    
    - Configure SIEM system integration for Syslog export using either the Administration Server or the Security Center Web Console. Refer to the links below for detailed instructions on each method
    
      - Configuring export of events to SIEM system using **Administration Console**: [Configuring export of events to SIEM systems][7]
      - Configuring export of events to SIEM system using **Security Center Web Console**: [Configuring export of events to SIEM systems][8]


  - #### Marking of events for export to SIEM using syslog on Security Center Web Console

    **Prerequisite**: Ensure that web plugins for Endpoint Security applications are installed.

    1. In the console, on the left menu, click on **Assets (Devices) > Policies & profiles**.
    2. For each policy **Kaspersky Endpoint Security for X**(where X represents various operating systems), click on the policy.
    3. In the policy, select the **Event configuration** tab.
    4. On the left panel, select the section **Critical**. Select all event types and click on **Mark for export to SIEM system by using Syslog**.
    5. Follow the same step(step 4) for **Warning**, **Functional failure**, **Info** sections.

      This ensures that all relevant events from Kaspersky Endpoint Security applications are properly exported to the SIEM system via Syslog.

### Validation

[Run the Agent's status subcommand][6] and look for `kaspersky` under the Checks section.

## Data Collected

### Metrics

Kaspersky does not include any metrics.

### Log Collection


1. Collecting logs is disabled by default in the Datadog Agent. Enable it in the `datadog.yaml` file with:

    ```yaml
      logs_enabled: true
    ```

2. Add this configuration block to your `kaspersky.d/conf.yaml` file to start collecting your Kaspersky logs. See the sample [kaspersky.d/conf.yaml][9] for available configuration options.

    ```yaml
      logs:
        - type: tcp
          port: <PORT>
          source: kaspersky
          service: kaspersky
    ```

    **Note**: 
      - `PORT`: Port should be similar to the port provided in **Syslog configuration over Kaspersky Security Center** section.
      - It is recommended not to change the service and source values, as these parameters are integral to the pipeline's operation.

3. [Restart the Agent][3].

### Events

The Kaspersky integration does not include any events.

### Service Checks

The Kaspersky integration does not include any service checks.

## Troubleshooting

**Permission denied while port binding:**

If you see a **Permission denied** error while port binding in the Agent logs:

1. Binding to a port number under 1024 requires elevated permissions. Grant access to the port using the `setcap` command:
    ```shell
    sudo setcap CAP_NET_BIND_SERVICE=+ep /opt/datadog-agent/bin/agent/agent
    ```

2. Verify the setup is correct by running the `getcap` command:

    ```shell
    sudo getcap /opt/datadog-agent/bin/agent/agent
    ```

    With the expected output:

    ```shell
    /opt/datadog-agent/bin/agent/agent = cap_net_bind_service+ep
    ```

    **Note**: Re-run this `setcap` command every time you upgrade the Agent.

3. [Restart the Agent][3].


**Data is not being collected:**

Ensure traffic is bypassed from the configured port if the firewall is enabled.

**Port already in use:**

If you see the **Port <PORT_NUMBER> Already in Use** error, see the following instructions. The following example is for port 514:

- On systems using Syslog, if the Agent listens for events on port 514, the following error can appear in the Agent logs: `Can't start UDP forwarder on port 514: listen udp :514: bind: address already in use`. This error occurs because by default, Syslog listens on port 514. To resolve this error, take **one** of the following steps: 
    - Disable Syslog.
    - Configure the Agent to listen on a different, available port.

For further assistance, contact [Datadog support][1].

[1]: https://docs.datadoghq.com/help/
[2]: https://app.datadoghq.com/account/settings/agent/latest
[3]: https://docs.datadoghq.com/agent/guide/agent-commands/#start-stop-and-restart-the-agent
[4]: https://www.kaspersky.com/next-edr-optimum
[5]: https://github.com/DataDog/integrations-core/blob/master/kaspersky/assets/service_checks.json
[6]: https://docs.datadoghq.com/agent/guide/agent-commands/#agent-status-and-information
[7]: https://support.kaspersky.com/ksc/15.1/89277
[8]: https://support.kaspersky.com/ksc/15.1/216090
[9]: https://github.com/DataDog/integrations-core/blob/master/kaspersky/datadog_checks/kaspersky/data/conf.yaml.example