Skip to content
KYRA MDR KYRA MDR Docs

CCTV NVR Integration

Overview

This integration collects event logs from CCTV cameras and NVR (Network Video Recorder) systems for IoT threat detection and physical security monitoring. CCTV devices are network-connected IoT endpoints frequently targeted by botnets (e.g., Mirai) and are present in virtually all Korean office environments.

Supported vendors: Hanwha Vision (formerly Samsung Techwin), Hikvision, Dahua

Prerequisites

  • A KYRA MDR Collector installed and running (Installation Guide)
  • Administrator access to the NVR management interface
  • Network connectivity from the NVR to the collector on port 514
  • ONVIF-compatible devices (for standardized event collection)

Configuration

Option 1: NVR Syslog Output

Configure syslog forwarding in the NVR management interface:

  • Hanwha NVR: System > Event > Syslog — set the server to KYRA_COLLECTOR_IP:514
  • Hikvision NVR: Configuration > Network > Advanced > Syslog — set the server address and port

Option 2: ONVIF Event Subscription

ONVIF is an industry standard supported by all major CCTV brands. Use WS-BaseNotification to subscribe to device events:

ONVIF Event Service → Subscribe to:
  - Device/Authentication
  - Device/Configuration
  - Device/NetworkStatus
  - Recording/Status

Option 3: Vendor REST API

  • Hanwha SUNAPI: REST API with HTTP callback or WebSocket event subscription
  • Hikvision ISAPI: Query logs via /ISAPI/ContentMgmt/logSearch

Collected Log Types

Log TypeSecurity UsePriority
Admin login eventsBrute force, unauthorized accessHigh
Configuration changesRecording disabled (evidence tampering)High
Network connectionsOutbound C2 communication (botnet)High
Firmware versionCVE vulnerability matchingMedium
Motion detection alertsPhysical security (after-hours intrusion)Medium
Recording statusRecording interruption (failure/tampering)Medium

Troubleshooting

No Logs Received

  1. Verify syslog is enabled in the NVR management interface
  2. Check that the NVR can reach the collector IP on port 514
  3. Ensure the device firmware is up to date (older firmware may lack syslog support)
  4. For ONVIF, verify the subscription is active and the callback URL is reachable

Default Credentials Warning

  • Many CCTV/NVR devices ship with default passwords (e.g., admin/admin)
  • Change default credentials immediately to prevent unauthorized access
  • Known vulnerabilities such as Hikvision CVE-2021-36260 require firmware updates

For additional help, contact kyra@seekerslab.com.