Events indexed without sourcetype renaming

[diogofgm]

There are some events that keep the Kaspersky sourcetype after indexing.

[kulcsari]

Hi,
Here is the list:
GNRL_EV_FULLSCAN_STATUS_NOTIFICATION
GNRL_EV_OBJECT_BLOCKED
GNRL_EV_OBJECT_CURED
KLAUD_EV_OBJECTMODIFY
KLAUD_EV_SERVERCONNECT
KLNAG_EV_INV_OBS_APP_UNINSTALLED
KLNAG_EV_PATCH_INSTALLED_SUCCESSFULLY
KLNAG_EV_PATCH_INSTALL_STARTING
KLSRV_HOST_MOVED_WITH_RULE_EX
KLSRV_HOST_STATUS_CRITICAL
KLSRV_HOST_STATUS_WARNING
KLSRV_INVISIBLE_HOSTS_REMOVED
KLSRV_RUNTIME_ERROR

I didn't found so far a guide to the meanings of this.

[diogofgm]

Me neither when I was building the TA.
Can you send me a sanitised example of an event for each one of those? There are a few that I think might be related to the system but others might be related to malware detection.

[kulcsari]

Hi,
I will, but unfortunately, it will take time because of my other tasks.

Off: Do you plan to check CEF format sending? There is some interference with CEF header and malware CIM model fields... (Siganture, signature_id, etc)... But without kapsersky experience or guide, not an easy task for me...

[diogofgm]

No problem. I also have my own work to do. 😄
In newer versions of KSC there is an option for sending logs with a "splunk format" which looks like CEF. If I recall correctly, there just few changes I would need to do. But yes, im considering updating the TA to extract the fields if the CEF format is being used.
I'm not an expert on Kaspersky either but its just a matter of making sense of the data.

Just a remark: for any other issue, enhancement, suggestion you might have, open an issue here so I can have them tracked and closed after they are done.

[diogofgm]

Thanks Istvan for the file. I'll take a look at this and update the TA

[diogofgm]

The reworked version available in Splunkbase addresses all the missing sourcetype renaming.