Hello everyone,
I currently work in a SOC environment and I am working on a use case involving monitoring and ingestion of Kaspersky logs into Elastic for managed security services.
During the integration process, I noticed that Kaspersky supports multiple export formats for external SIEM platforms, such as Syslog and CEF. However, I found that the standard Syslog format can become difficult to parse consistently due to the variability and structure of the messages.
On the other hand, the CEF format seems much easier to normalize and map into ECS, especially when using the Elastic CEF integration. That said, I also noticed that some information appears to be represented differently depending on the event type, particularly regarding custom fields and labels.
Considering operational stability, parsing reliability, ECS normalization, correlation, and long-term maintainability in Elastic, I would like to ask:
For those who already work with Kaspersky integrations in Elastic/SIEM environments, which export format do you recommend using in production environments and why?
Additionally:
-
Have you had better results with Syslog raw messages or CEF?
-
Did you use the native Elastic CEF integration or custom pipelines?
-
Were there any major limitations or caveats during onboarding and normalization?
Any recommendations or shared experiences would be greatly appreciated.
Thanks in advance.