Getting information for Technical Support

Getting data files

After you inform Kaspersky Technical Support specialists about your issue, they may ask you to send the following files:

• SVM system statistics files
• Dump files of the Protection Server and Light Agents
• Trace files from the Solution Components Installation Wizard
• Trace files of the Integration Server and Integration Server Console
• Trace files of SVMs, Light Agent, and Kaspersky Security management plug-ins

A dump file contains all information about the operation memory of Kaspersky Security processes at the time the dump file was created.

A trace file helps track the step-by-step execution of instructions by solution components and can help detect the stage of execution when an error occurs.

Changing solution component settings

Technical Support specialists may also require additional information about the operating system, processes that are running on the protected virtual machine, and detailed reports on the operation of solution components.

While diagnosing the problem, Technical Support specialists may, for the debugging purposes, ask you to change the solution component settings to:

• Activate the functionality that gathers extended diagnostic information.
• Run the tools, which are included in the solution's distribution kit.
• Change the settings for storing diagnostic information.
• Enable debugging mode for the Integration Server.
• Configure interception of network traffic and save it to file.
• Perform more detailed configuration of the operation of the Light Agents, Protection Server, Integration Server, Integration Server Console, and management plug-ins. This detailed configuration is not available through the solution management tools described in this help.

Technical Support experts will provide you with all the information needed to perform the listed operations, including a description of the sequence of steps, settings to be modified, configuration files, scripts, additional command line functionality, debugging modules, special-purpose tools, and will inform you about the scope of data submitted for debugging purposes.

The extended diagnostic information is saved on your virtual machine. The data is not automatically sent to Kaspersky.

You are strongly advised to perform the above-mentioned steps solely under the guidance of Technical Support specialists and according to their instructions. Independent modification of the solution settings in ways not described in the solution's help or in recommendations from Technical Support specialists may cause operating system slowdowns and malfunctions, decrease of the protection level of virtual machines, and lead to the loss or corruption of the information being processed.

Disabling the rollback function

You may need to disable the rollback function in order to analyze an error that occurs during SVM deployment using the Integration Server Console.

To disable the rollback function:

1. On the device where the Kaspersky Security Center Administration Console is installed, open the file %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky VIISLA Console\Kaspersky.VIISConsole.UI.exe.config in a text editor for editing.

   You must edit the file under the administrator account.

2. In the <appSettings></appSettings> section, edit the <!--<add key="disableRollback" value="1" />--> string as follows:

   <add key="disableRollback" value="1" />

3. Save and close the Kaspersky.VIISConsole.UI.exe.config file.

The new settings are applied after the Integration Server Console is restarted.

Getting information about SVMs connected to the Integration Server

Technical Support experts may ask you to provide information about the SVMs that are connected to the Integration Server. You can view a list of all SVMs connected to the Integration Server in the Integration Server Console.

Troubleshooting the solution

To diagnose performance issues, you may need to turn on debug mode for the Integration Server. To turn on debug mode, you need to use special configuration file settings. For more detailed information, please contact Technical Support.

Protection Server and Light Agent dump files

A dump file contains information about the working memory of Kaspersky Security processes at the time the file was created.

Dump files can also contain personal data. It is recommended that you ensure that information is protected against unauthorized access before it is sent to Kaspersky.

Dump files are not sent to Kaspersky automatically.

Protection Server dump files

By default, Protection Server dump files are not created. You can enable or disable logging of dump files.

To enable logging of Protection Server dump files:

1. Create an etc/opt/kaspersky/la/dumps_enabled file on the SVM.
2. Restart the scanserver service by running the systemctl restart la-scanserver command.

By default, all created dump files are located on the SVM in the /var/opt/kaspersky/la/dumps directory. The name of each *.dmp file contains the date and time when the file was created, the process identifier (PID), and the dump number in the session.

You can change the dump logging settings in the ScanServer.conf configuration file (in the [dumps] section).

Access to the dump files requires the password of the SVM root account assigned during Protection Server installation. If you change the default directory for storing dump files, Kaspersky Security does not control access to dump files. If the file system where the specified directory is located supports appropriate access control, the root account permissions are required to access the dump files.

Dump files are automatically deleted when the SVM is deleted.

To disable creation of Protection Server dump files:

1. Delete the etc/opt/kaspersky/la/dumps_enabled file.
2. Restart the scanserver service by running the systemctl restart la-scanserver command.

Light Agent for Linux dump files

Light Agent for Linux dump files can be created on a device on which Kaspersky Endpoint Security for Linux is installed and used in Light Agent for Linux mode. For more information about Kaspersky Endpoint Security for Linux dump files, see the Kaspersky Endpoint Security for Linux Help.

Trace files of the Kaspersky Security Components Installation Wizard

Information about the progress and results of the Kaspersky Security Components Installation Wizard is written to trace files. If installation, upgrade, or removal of the Integration Server or Integration Server Console ends with an error, you can use these trace files when contacting Technical Support.

Trace files of the Kaspersky Security Components Installation Wizard are files in TXT format. They are automatically saved on the same device where the Wizard was started.

If you installed Kaspersky Security components or downloaded SVM images, the trace files are saved to an archive in the path %temp%\Kaspersky_Security_for_Virtualization_<version number>_Light_Agent_BundleInitialInstall_logs_<date and time>.zip, where:

• <version number> refers to the number of the installed version of Kaspersky Security;
• <date and time> refers to the date and time when the installation was completed.

If you upgraded Kaspersky Security components, the trace files are saved to an archive in the path %temp%\Kaspersky_Security_for_Virtualization_<version number>_Light_Agent_BundleMajorUpgrade_logs_<date and time>.zip, where:

• <version number> refers to the number of the installed version of Kaspersky Security;
• <date and time> refers to the date and time when the upgrade was completed.

If you removed Kaspersky Security components, the trace files are saved to an archive in the path %temp%\Kaspersky_Security_for_Virtualization_<version number>_Light_Agent_BundleUninstall_logs_<date and time>.zip, where:

• <version number> refers to the number of the installed version of Kaspersky Security;
• <date and time> refers to the date and time when the removal was completed.

Trace files of the Kaspersky Security Components Installation Wizard contain the following information:

• Diagnostic information about the process of installation, upgrade, or removal of Kaspersky Security components.
• Name of the device on which the user started the procedure for installing, upgrading or removing Kaspersky Security components, and the name of the user that started the procedure.
• Information about errors that occurred during the process of installation, upgrade, or removal of Kaspersky Security components.

Trace files of Kaspersky Security components Installation Wizard are stored in a readable format. It is recommended that you ensure that information is protected against unauthorized access before it is sent to Kaspersky.

Trace files of Kaspersky Security components Installation Wizard are not automatically sent to Kaspersky.

Trace files of the Integration Server and Integration Server Console

Information about the operation of the Integration Server and the Integration Server Console may be recorded in the following trace files:

• %ProgramData%\Kaspersky Lab\VIISLA\logs\viisla_service_loader.log – Integration Server trace file. The file does not contain personal data.
• %ProgramData%\Kaspersky Lab\VIISLA\logs\service.log – Integration Server trace file.
• %ProgramData%\Kaspersky Lab\VIISLA Console\logs\console.log – the trace file of the Integration Server Console.
• %ProgramData%\Kaspersky Lab\VIISLA\logs\SvmManagement\sm-<file creation date>.log is the trace file of SVM deployment, reconfiguration, and removal procedures using the Integration Server REST API.

By default, trace files are created with the Error level of detail. You can disable the logging of information to Integration Server and Integration Server Console trace files, and change the verbosity level of information in trace files by using the following configuration files:

• %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky VIISLA\appsettings.logging.json – for the Integration Server trace file and the SVM deployment, reconfiguration, and removal procedures trace file.
• %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky VIISLA Console\NLog.config – for the Integration Server Console trace file.

Contact Technical Support representatives for details.

Trace files are moved to an archive folder (%ProgramData%\Kaspersky Lab\VIISLA\logs\archives) when the file size reaches 5 MB. Up to 10 files are stored in the archive folder. Once this number is reached, older files are deleted.

Access to the folder where trace files are saved is restricted by using an ACL. Administrator rights are required to access this folder.

If you change the default folder for storing trace files, Kaspersky Security does not control access to trace files. It is recommended to protect the information from unauthorized access.

The following information may be saved in the Integration Server trace file:

• Diagnostic information about the operation of the Integration Server, its workload, and the results of a data integrity check.
• Headers and contents of HTTP requests that are sent and received by the Integration Server during its operation.
• IP addresses of SVMs and protected virtual machines, and the IP address of the device hosting the Kaspersky Security Center Administration Console if the Kaspersky Security Center Administration Console is installed separately from the Kaspersky Security Center Administration Server.
• Tracing of requests to the Integration Server.
• Description of exclusions and errors that occurred when working with internal subsystems and external services.
• Names of internal Integration Server accounts.
• Names of accounts that are used to connect the Integration Server to virtual infrastructure objects.
• Depending on the type of virtual infrastructure:
  • IP addresses or fully qualified domain names (FQDN) of hypervisors or virtual infrastructure administration servers to which the Integration Server connects.
  • IP addresses or fully qualified domain names (FQDN) of the Keystone microservice or other cloud infrastructure microservices to which the Integration Server connects.
• If Kaspersky Security is used in multitenancy mode:
  • Names and identifiers of the tenants registered in the Integration Server database.
  • Account names of Kaspersky Security Center virtual Administration Servers administrators.
  • Identifiers and IP addresses of the tenant virtual machines.

The following information may be saved in the Integration Server Console trace file:

• Diagnostic information about the operation of the Integration Server Console.
• Tracing of command line parameters and results of checking them.
• Headers and contents of HTTP requests that are sent and received by the Integration Server Console during its operation.
• Information about navigations through sections of the Integration Server Console and working with interface elements.
• IP address of the Kaspersky Security Center Administration Server.
• Port numbers for interaction with the Kaspersky Security Center Administration Server through the Kaspersky Security Center Network Agent.
• Description of exclusions and errors that occurred when working with internal subsystems and external services.
• Names of internal Integration Server accounts.
• Names of accounts that are used to connect the Integration Server to virtual infrastructure objects.
• Depending on the type of virtual infrastructure:
  • IP addresses or fully qualified domain names (FQDN) of hypervisors or virtual infrastructure administration servers to which the Integration Server connects.
  • IP addresses or fully qualified domain names (FQDN) of the Keystone microservice or other cloud infrastructure microservices to which the Integration Server connects.
• If Kaspersky Security is used in multitenancy mode, the names of tenants registered in the Integration Server database are listed.

You can use Integration Server trace files and Integration Server Console trace files when contacting the Technical Support. The information recorded in trace files may be needed for analysis and identification of the causes of errors in the operation of the Integration Server.

Integration Server trace files and Integration Server Console trace files are not automatically sent to Kaspersky.

Trace files of the tool for managing Integration Server and SVM certificates

Information about the operation of the tool for managing the certificates of the Integration Server and SVMs may be recorded in trace files located in the %ProgramData%\Kaspersky Lab\VIISLA\logs folder.

By default, trace files are not created.

You can enable logging information to trace files of the certificate management tool, and also configure trace settings in the appsettings.certificate_manager.json configuration file located in the Integration Server installation folder: %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky VIISLA\.

Trace files of the certificate management tool may contain the following information:

• Lines used to invoke the tool, including parameters and arguments, except passwords.
• Tool output lines containing requests to the user.
• Information about the progress of command execution, including information about errors.

Trace files of the certificate management tool do not contain personal information.

Trace files are moved to an archive folder (%ProgramData%\Kaspersky Lab\VIISLA\logs\archives) when the file size reaches 5 MB. Up to 10 files are stored in the archive folder. Once this number is reached, older files are deleted.

Access to the folder where trace files are saved is restricted by using an ACL. Administrator rights are required to access this folder.

If you change the default folder for storing trace files, Kaspersky Security does not control access to trace files. It is recommended to protect the information from unauthorized access.

Trace files are not sent to Kaspersky automatically.

Trace files of SVMs, Light Agent, and Kaspersky Security management plug-ins

Trace files of SVMs, Light Agent, and Kaspersky Security management plug-ins may contain the following general data:

• Event time
• Number of the thread of execution
• Name of the Kaspersky Security component that caused the event
• Degree of event importance (informational event, warning, critical event, error)
• Description of the event involving execution of a command received from a Kaspersky Security component, and the result of execution of this command

For detailed information about Light Agent for Linux trace files, see the Kaspersky Endpoint Security for Linux Help.

SVM trace files

During SVM operation, the following trace files may be created on an SVM:

• Protection Server trace file (ScanServer.log). The name of the file contains the file creation date and time. In addition to general data, this file may contain the following information:
  • Personal data, including the last name, first name and middle name, if such data is included in the path to files on protected virtual machines.
  • The name of the account used to log in to the operating system if the user account name is part of a file name.
  • Your email address or web address containing the name of your account and password if they are contained in the name of the detected object.
  • Settings for connecting SVMs to the Integration Server.
  • Information about connecting Light Agents to SVM: unique SVM identifier, unique identifier and information about the operating system of the virtual machine, on which Light Agent is installed, time intervals during which the Light Agent was connected to the SVM.
• boot_config.log trace file This file records the results of executing commands of the SVM first startup script.
• wdserver.log trace file. This file records information about events that occur during operation of the watchdog service (wdserver). The file contains general data.
• SnmpTool.log trace file This file records information about events that occur during operation of the SNMP service (SnmpTool). The file contains general data.
• Trace file of the Kaspersky Security Center Network Agent. This file records information about events occurring during operation of the Kaspersky Security Center connectivity module. The file contains general data.

boot_config.log and wdserver.log trace files are created automatically.

You can create the ScanServer.log and SnmpTool.log trace files using the ScanServer.conf and SnmpTool.conf configuration files, which are located in the /etc/opt/kaspersky/la/ directory on the SVM. A special script is used to create a Network Agent trace file.

For detailed information on how to create and configure trace files, please contact our Technical Support experts.

All created SVM trace files are located in the /var/log/kaspersky/la/ directory.

ScanServer.log trace file can also be created in the Protection Server policy. To do this, you need to:

1. Enable the display of additional settings in the Protection Server policy. By default, additional settings are not displayed.
2. Configure the trace level in the Advanced settings section of the policy and apply the change.

   You are advised to clarify the required trace level with a Technical Support specialist.

SVM trace files are stored in readable format. It is recommended that you ensure that information is protected against unauthorized access before it is sent to Kaspersky.

SVM trace files are not automatically sent to Kaspersky. Trace files are automatically deleted when uninstalling Kaspersky Security.

Trace files of management plug-ins

Trace files of MMC plug-ins

If you use the Kaspersky Security Center Administration Console to manage Kaspersky Security solution components, information about events that occur during operation of the management MMC plug-ins may be written to the following files on the device where the Kaspersky Security Center Administration Server is installed:

• Trace file of the MMC plug-in for managing the Protection Server. The file name is specified by the user, and the user name and process ID (PID) are added to the specified name. This file contains information about the events that occur during the plug-in operation, in particular, about the operation of the Protection Server policy and tasks.
• Trace file of the MMC plug-in for managing Light Agent for Linux (Kaspersky Endpoint Security for Linux used in Light Agent mode). The file name contains the version number of Kaspersky Endpoint Security for Linux, file creation date and time, and process ID (PID). This file contains information about the events that occur during the plug-in operation, in particular, about the operation of the Light Agent for Linux policy and tasks.

In addition to general data, these files may contain the following information:

• Personal data, including the last name, first name, and middle name, if such data is part of the path to files.
• The name of the account used to log in to the operating system if the user account name is part of a file name.

By default, trace files of Kaspersky Security MMC plug-ins are not created. You can create all trace files of the MMC plug-ins by using the registry keys. Contact Technical Support representatives for detailed information on how to create trace files.

All created MMC plug-in trace files are located in the %ProgramData%\Kaspersky Lab\Plugins\KSVLA6_1.SVM.plg folder.

Trace files of web plug-ins

If you use the Kaspersky Security Center Web Console to manage Kaspersky Security solution components, information about events that occur during operation of the management web plug-ins may be written to the trace files of the web plug-ins:

Trace files for the web plug-ins are created automatically if logging of the Web Console activities is enabled in Kaspersky Security Center Web Console Installation Wizard (for more details, refer to Kaspersky Security Center help).

Trace files of the web plug-ins are stored in the Kaspersky Security Center Web Console installation folder in the "logs" subfolder.

The trace files of the management plug-ins are saved in a human-readable format. It is recommended that you ensure that information is protected against unauthorized access before it is sent to Kaspersky.

The trace files of the management plug-ins are not sent to Kaspersky automatically. Trace files are automatically deleted when Kaspersky Security is uninstalled.

Page top

SVM Management Wizard log

During SVM deployment and reconfiguration, the SVM Management Wizard logs all information that you specify at every step of the wizard in the wizard log.

You can use the wizard log when contacting Technical Support if SVM deployment or reconfiguration has ended with an error. Information recorded in the wizard log is not sent to Kaspersky automatically.

The SVM Management Wizard log is saved on the device where the wizard was launched, in the file %LOCALAPPDATA%\Kaspersky Lab\Kaspersky VIISLA Console\logs\KasperskyDeployWizard_<file creation date and time>.log and does not contain account passwords. A new log file is created each time the wizard starts.

During SVM deployment, the following information is saved in the wizard log:

• Selected action (SVM deployment).
• Type of the virtual infrastructure object, to which SVM Management Wizard connects.
• Address of the virtual infrastructure object, to which SVM Management Wizard connects.
• When deployed in a virtual infrastructure based on Microsoft Hyper-V, XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server, Astra Linux, or Numa vServer:
  • The version of the hypervisor or virtual infrastructure administration server.
  • The name of the hypervisor and the version of the operating system installed on the hypervisor, and the number of virtual machines on the hypervisor.
• When deploying in an infrastructure based on the OpenStack platform, VK Cloud platform or the TIONIX Cloud Platform: the name and ID of the domain and OpenStack project within which the SVM is deployed.
• Name of the account used to connect the SVM Management Wizard to the virtual infrastructure.
• Name of the account used to connect the Integration Server to the virtual infrastructure.
• SVM image version.
• Versions of previously deployed SVMs.
• Status of the publisher of the SVM image.
• SVM image path and SVM image data.
• SVM image validation status.
• For deployments on the VMware vSphere platform:
  • A list of all VMware ESXi hypervisors managed by a single VMware vCenter Server, their state, the protection status and privileges of the account used to connect to the VMware vCenter Server.
  • A list of VMware ESXi hypervisors that were selected for SVM deployment, and their versions.
• When deploying on the Microsoft Hyper-V platform, the OpenStack platform, VK Cloud platform or the TIONIX Cloud Platform:
  • Whether or not parallel deployment of several SVMs is enabled, as well as number of parallel sessions.
  • VLAN ID.
• Settings for the SVM being deployed that you specified.
• Settings to connect the SVM to the Kaspersky Security Center Administration Server (IP address, port, SSL port).
• Whether the root account is allowed to gain access to the SVM using SSH.
• For deployments on the Microsoft Hyper-V platform: type of the Integration Server authentication on the hypervisor (local / domain).
• SVM IP settings (IP address, IP address of default network gateway, IP address of main and alternative DNS servers, subnet mask).

During SVM reconfiguration, the following information is saved in the wizard log:

• Selected action (SVM reconfiguration)
• Depending on the type of virtual infrastructure:
  • IP addresses or fully qualified domain names (FQDN) of hypervisors on which SVMs are being reconfigured
  • Names of OpenStack domains and projects, within which the SVMs being reconfigured operate
• IP addresses or full domain names of SVMs being reconfigured
• Information on whether or not the reconfiguration will change the following:
  • Settings of accounts for connecting to the SVM (configuration password, root account password, ability to connect to the SVM using the root account over SSH)
  • List of virtual networks used by the SVM
  • SVM IP settings (IP address, IP address of the default network gateway, IP address of the main and alternative DNS servers, subnet mask)

Using the utilities and scripts from the Kaspersky Security distribution kit

To analyze the cause of errors in the operation of Kaspersky Security, Technical Support experts may ask you to use the following tools included in the Kaspersky Security distribution kit:

• ai_config is the tool that allows converting the SVM settings from configuration database format to text file and back.
• cleanUpdateShare.sh is the script for removing the old Light Agent bases from the SVM.
• configure.sh is the script for managing the SVM, viewing settings, and reconfiguration of the SVM. It is used by the SVM Management Wizard to reconfigure the SVM using the klconfig account.
• dump_ods_scan_queue and dump_ods_scan_queue.sh are the tools for viewing the current scan tasks queue.
• eventlog_client and eventlog_client.sh are the tools for generating the events to be sent to Kaspersky Security Center.
• firewall.sh is the script for opening up the ports to connect to Network Agent.
• first_boot.sh is the script for SVM reconfiguration on the first boot of the SVM.
• get_used_mem.sh is the script for showing memory usage statistics.
• kvp_read is the tool for viewing shared data of a hypervisor from the Hyper-V KVP Exchange storage.
• la-kvm-guest is the init.d script for managing the KVM guest service.
• la-scanserver is the init.d script for managing the scanserver service.
• managenet.sh is the script for managing the network interfaces.
• on_product_install.sh is the script which allows to set a one-time SVM configuration during the SVM deployment.
• sfw is the tool for managing the netfilter firewall of the Linux operating system.
• show_inventory and show_inventory.sh are the tools for viewing information about the virtual infrastructure inventory received by the Protection Server from the Integration Server.
• show_virt_info and show_virt_info.sh are the tools for viewing the virtual machine information (for example BIOS version or hypervisor information).
• snmp.sh is the script for enabling or disabling the SNMP monitoring on the SVM.
• storage_util is the tool for managing the storage of the data used for Kaspersky Security database updates.
• patch_detector.pl is the script for searching the application module update in the folder specified and run the KSV Patch Installer to install it.
• patch_installer.pl is the script for installing the Kaspersky Security module update from the tar.gz file.
• patch_list.pl is the script for generating the list of Kaspersky Security module updates installed on the SVM in XML format.
• patch_rollback.pl is the script for rolling back the latest Kaspersky Security module update installed.

About remotely diagnosing a device using Kaspersky Security Center

In Kaspersky Security Center, you can perform remote diagnostics of client devices. The remote diagnostics procedure allows you to perform the following operations remotely:

• Enable or disable tracing on the device.
• Change the trace level.
• Download trace files.
• Download the log of remote installation of solution components.
• Download system event logs (syslog).
• Start, stop, and restart solution components on the device.

Remote diagnostics using the Web Console

If you are managing Kaspersky Security using the Web Console, you can remotely diagnose a client device in the remote diagnostics window.

To open the remote device diagnostics window:

1. In the main window of the Web Console, select Assets (Devices) → Managed devices.

   The list of managed devices opens.

2. Select the device that you to remotely diagnose and click the name of the device.

   This opens the device properties window.

3. On the Advanced tab, select the Remote diagnostics section.

For more information about remote diagnostics, please refer to the Kaspersky Security Center Help.

Remote diagnostics using the Administration Console

If you are managing the Kaspersky Security solution using the Administration Console, remote diagnostics is performed using a special Kaspersky Security Center remote diagnostics tool that is automatically installed on the device together with the Administration Console.

To open the main window of the device remote diagnostics tool:

1. In the Administration Console tree, in the Managed devices folder, select the administration group that includes the relevant device.
2. In the workspace, select the Devices tab.
3. In the list of managed devices, select the device to which you want to connect the remote diagnostics tool, and select External tools → Remote diagnostics in the context menu of the device.

This opens the main window of the Kaspersky Security Center remote diagnostics tool.

For more information about the remote diagnostics tool, please refer to the Kaspersky Security Center Help.