Kaspersky Security Center can forward events that are registered on:
- Administration Server
- Administration Console
- Network Agent appliances
To configure the Kaspersky Security Center (10.3.X or a later version) to export events in CEF format, follow these instructions on the Kapersky website. In the Exporting Events properties, select ArcSight as the SEIM system. Then set the SEIM system server adddress and port to the IP address and port of the Devo In-house Relay. If you want to forward historical data to Devo, click the Export archive button (this is optional).
Now create a Relay rule that tags the events sent to the port as cef0.kaspersky.