Contents
Configuring receipt of the Kontinent encryption system events
The KUMA distribution kit includes the kuma-kont utility, which consists of an executable file and a configuration file. Supported operating systems include Astra Linux, Ubuntu 22.04 LTS, and RED OS 7.3.4 and 8. This utility allows lets you connect to the MSSQL database, receive events of the Kontinent encryption system, and send data to the KUMA collector in JSON format. Data import is supported for Kontinent 3.9.2.
Configuring the retrieval of Kontinent events from an MSSQL database and sending them to the KUMA collector involves the following steps:
- Preparing to receive Kontinent events.
At this step, you need to create a KUMA collector that will receive events, and also create a user in the MSSQL database.
- Configuring the kuma-kont utility.
At this step, you need to create the configuration file of the utility and the service of the utility.
- Starting the kuma-kont utility.
After activation, the utility starts exporting events from the MSSQL database and sending them to the KUMA collector. It keeps a log in the kuma-kont.log file.
Preparing to receive Kontinent events
- Creating a KUMA collector.
- Creating a KUMA collector for Kontinent 3.9 events.
To receive audit events of the Kontinent 3.9 system using the Collector Installation Wizard, at the Event parsing step, select the [OOTB] SecurityCode Continent 3.9 json normalizer. On the Transport tab, you also need to specify the port and protocol that are specified in the kuma-kont-config.yaml configuration file in the KUMA Collector group of settings.
- Installing a collector in the KUMA network infrastructure.
- Creating a KUMA collector for Kontinent 3.9 events.
- Creating an account in the MS SQL DBMS.
Create an account in the database with the minimum necessary rights to connect and read data from the following tables: ALERTLOG, SERVERACCESSLOG, SYSTEMLOG, PACKETLOG, FILTERS.
- Ensuring network connectivity.
You must ensure network connectivity between the server on which the utility is running and the database server of the Kontinent system, as well as between the server on which the utility is running and the KUMA collector server.
Configuring the kuma-kont utility
Configuring the kuma-kont utility involves the following steps:
- Creating the kuma-kont-config.yaml configuration file.
- Creating the kuma-kont service.
Creating the kuma-kont-config.yaml configuration file
To create the kuma-kont-config.yaml configuration file:
- Go to the KUMA installer directory by executing the following command:
cd kuma-ansible-installer/roles/kuma/files - Extract the kuma-kont.tar archive:
tar -xvf kuma-kont.tar - Go to the directory of the utility:
cd kuma-kont - Copy the kuma-kont-config-template.yaml template to create a configuration file named kuma-kont-config.yaml:
cp kuma-kont-config-template.yaml kuma-kont-config.yaml - Change read permissions for the configuration file:
sudo chown <user name>:<group> kuma-kont-config.yamlsudo chmod 600 kuma-kont-config.yamlReplace <user name> with the operating system user name that the service will use.
- Edit the settings in the kuma-kont-config.yaml configuration file.
Specify the values of the following settings:
- General settings: state_file, log_file_path.
- Kontinent Database: name, user, password, host, port.
- KUMA Collector: address, port, protocol.
An example of configuration is given in the kuma-kont-config-template.yaml file.
- Save the changes to the file.
The configuration file is created.
Creating the service
To create the kuma-kont service:
- Change the execution permissions for the executable file:
sudo chown <user name>:<group> <path to executable file>sudo chmod 700 <path to executable file> - Create the /etc/systemd/system/kuma-kont.service file with the following contents:
[Unit]Description=Connector Kontinent 3.9After=network.target[Service]User=<user name>ExecStart=<path to executable file> --config <path to configuration file>Restart=alwaysRestartSec=10[Install]WantedBy=multi-user.targetReplace <user name> with the user name of the operating system user that the service will use.
- Specify the path to the executable file.
Specify the path to the kuma-kont executable file in the ExecStart field.
For example, if the kuma-kont file is located in the /usr/bin/ directory, leave the default value.
- Specify the path to the configuration file.
Specify the path to the kuma-kont-config.yaml configuration file in the ExecStart field. For example, if the kuma-kont-config.yaml file is located in the /path/to/ directory, specify that path.
Example kuma-kont.service file
[Unit]Description=Continent ServiceAfter=network.target[Service]User=user-exampleExecStart=./usr/bin/kuma-kont --config /path/to/kuma-kont-config.yamlRestart=alwaysRestartSec=10[Install]WantedBy=multi-user.target - Load the systemd configuration:
sudo systemctl daemon-reload - Make the service run at startup:
sudo systemctl enable kuma-kont
The kuma-kont utility will be started as a service at system startup.
Page topStarting and managing the kuma-kont service
To start the utility service, run the following command:
sudo systemctl start kuma-kont
The collection of events from the MSSQL database begins and the events are sent to the KUMA collector.
The utility service can be controlled using the following commands:
- Start the kuma-kont service:
sudo systemctl start kuma-kont - Stop the kuma-kont service:
sudo systemctl stop kuma-kont - Restart the kuma-kont service:
sudo systemctl restart kuma-kont
You can also send events using the kuma-kont utility running as an application. To start sending events to the KUMA collector, you need to run the following command while in the directory with the executable file:
./kuma-kont --config <path to the kuma-kont-config.yaml file>
Behavior when connection is lost
Connection to the MSSQL database.
If the connection to the MSSQL database is lost, the utility tries to reconnect to it every n seconds (where n is equal to the value of the poll_interval setting in the configuration file) until the connection is restored.
Connection to the KUMA collector
If the TCP protocol is used to send events, when the connection to the KUMA collector is lost, the utility also attempts to restore it. The interval between connection attempts increases until it reaches one hour, and subsequent reconnection attempts are made once per hour.
Known limitations
The event from the AlertLog table with AL_CATEGORY=5 is not fully decoded.
Settings in the kuma-kont-config.yaml configuration file
The table lists the settings that you can specify in the kuma-kont-config.yaml file.
Settings in the kuma-kont-config.yaml configuration file
Setting |
Description |
|---|---|
|
Optional setting in the General settings group. Used when debug level log output is required. If false, only start and stop messages are included, as well as errors that occurred during the sending process. Available values:
Default setting: false. |
|
An optional setting in the General settings group. This setting determines whether the utility reconnects to the database to make each request. Available values:
Default setting: false. |
|
Required setting in the General settings group. Absolute path to the JSON file in which the state of the processed logs is saved. The file is created automatically at this path. Make sure the user has sufficient permissions to write to this directory. Example: /home/user/kuma-kont/state.json |
|
Required setting in the General settings group. Absolute path to the log file for recording connector activity. The file is created automatically at this path. Make sure the user has sufficient permissions to write to this directory. Example: /home/user/kuma-kont/kuma-kont.log |
|
An optional setting in the General settings group. Database polling interval. The default value is 10 seconds. For high EPS, we recommend a value less than 15 seconds. |
|
Required setting in the Kontinent Database group. Name of the database in which Kontinent logs are received. |
|
Required setting in the Kontinent Database group. Name of the database user. |
|
Required setting in the Kontinent Database group. Password of the database user. |
|
Required setting in the Kontinent Database group. URL of the database server. |
|
Required setting in the Kontinent Database group. Port of the database server. Make sure it is accessible from the server where the utility is installed. |
|
Optional setting in the Kontinent Database group. Limit on the number of events that can be downloaded from the database as part of one poll. By default, 100,000 events per database poll. If EPS is high, we recommend a value equal or greater than this. |
|
Optional setting in the Last Id group. Specifies the event of the AlertLog type from which you want to start sending events to the KUMA collector. Only works on first run or when the state file does not exit. The default value is 0. |
|
Optional setting in the Last Id group. Specifies the event of the PacketLog type from which you want to start sending events to the KUMA collector. Only works on first run or when the state file does not exit. The default value is 0. |
|
Optional setting in the Last Id group. Specifies the event of the ServerAccessLog type from which you want to start sending events to the KUMA collector. Only works on first run or when the state file does not exit. The default value is 0. |
|
Optional setting in the Last Id group. Specifies the event of the SystemLog type from which you want to start sending events to the KUMA collector. Only works on first run or when the state file does not exit. The default value is 0. |
|
Required setting in the KUMA Collector group. Fully qualified domain name (FQDN) or IP address of the server where the KUMA collector is installed. |
|
Required setting in the KUMA Collector group. Port of the KUMA collector. |
|
Required setting in the KUMA Collector group. Data transfer protocol used by the KUMA collector. If the udp protocol is used, events are not resent if connection to the KUMA collector is lost. Available values:
|