Kaspersky Machine Learning for Anomaly Detection

Viewing the Kaspersky MLAD log

Kaspersky MLAD uses the Grafana logging system to monitor the state of application services and to track information security events.

Tracking information security events of Kaspersky MLAD in the logging subsystem

The table below shows the types of information security events that are tracked in Kaspersky MLAD.

Types of information security events

Information security event ID in the logging system

Information security event type

login

Connecting and attempting to connect users to Kaspersky MLAD

access_control

Verifying user rights when performing actions in the Kaspersky MLAD web interface

logout

Terminating a Kaspersky MLAD user connection

service_control

Starting, stopping, and restarting Kaspersky MLAD services

user_control

Editing user accounts

system_settings_control

Changing Kaspersky MLAD settings

model_control

Creating, modifying, and deleting models

tag_control

Importing, creating, modifying, and deleting tags

log_control

Deleting information security event logs from the Kaspersky MLAD database when the log storage volume is exceeded or when their storage term expires

Each entry about an information security event contains the following parameters:

  • event_id is the ID of the information security event.
  • timestamp is the date and time of the information security event.
  • event_type is the ID of the information security event type.
  • sub_type specifies the type of information security event.
  • severity is the importance of the information security event. Kaspersky MLAD provides the following severity levels for information security events:
    • 1 (low).

      These information security events include entries involving users being granted access to perform a specific action in the web interface, and regarding the successful completion of any user actions.

    • 5 (medium).

      These information security events include entries involving user actions in the web interface for managing ML models, tags, user accounts and passwords, and entries regarding exceeded thresholds for storage time and volume of information security event logs.

    • 8 (high).

      These information security events include entries involving users entering an incorrect user name and/or password when connecting to the web interface of the application, and entries regarding unsuccessful attempts to change a password.

    • 10 (highest).

      These information security events include entries involving attempts to connect to the application web interface using a system account or a blocked account, and entries regarding attempts to perform specific actions in the application without the appropriate access rights.

  • username is the name of the user whose actions resulted in the information security event entry.
  • ip_address is the IP address of the computer from which the user performed the action logged into the information security event log.
  • outcome is the result of an information security event. The OK result corresponds to successful completion of the operation by the user. The FAIL result corresponds to failure of the user to perform the operation.
  • msg is a brief summary of the information security event.
  • info is a detailed description of the information security event.

Tracking the state of Kaspersky MLAD services in the logging subsystem

Kaspersky MLAD services whose states are monitored in the logging subsystem are identified based on the names of their corresponding containers or images in Docker. In most cases, the abbreviated name of the service is used as the name of the image. The container name is formed according to the following template:

<application directory>-<image name>-#,

where # is the number of the Docker container.

By default, Kaspersky MLAD uses the mlad-release-5.0.0-<installation build number> directory.

The Kaspersky MLAD log stores entries about the state of application services only for the last 48 hours.

The table below presents the correspondence between Kaspersky MLAD services and the names of Docker containers and images.

Correspondence between Kaspersky MLAD services and the names of Docker containers and images

Kaspersky MLAD service

Image name

Container name

Anomaly Detector

anomaly_detector

mlad-release-5.0.0-<installation build number>-anomaly_detector-1

Time Series Database

influxdb

mlad-release-5.0.0-<installation build number>-influxdb-1

Message Broker

kafka

mlad-release-5.0.0-<installation build number>-kafka-1

Keeper

keeper

mlad-release-5.0.0-<installation build number>-keeper-1

Logger

logger

mlad-release-5.0.0-<installation build number>-logger-1

Database

postgres

mlad-release-5.0.0-<installation build number>-postgres-1

Similar Anomaly

similar_anomaly

mlad-release-5.0.0-<installation build number>-similar_anomaly-1

Event Processor

event-processor

mlad-release-5.0.0-<installation build number>-event-processor-1

Stream Processor

stream-processor

mlad-release-5.0.0-<installation build number>-stream-processor-1

Trainer

trainer

mlad-release-5.0.0-<installation build number>-trainer-1

Web Server

nginx-ui

mlad-release-5.0.0-<installation build number>-nginx-ui-1

API Server

web-server

mlad-release-5.0.0-<installation build number>-web-server-1

Mail Notifier

postman

mlad-release-5.0.0-<installation build number>-postman-1

OPC UA Connector

opcua-connector

mlad-release-5.0.0-<installation build number>-opcua-connector-1

MQTT Connector

mqtt-connector

mlad-release-5.0.0-<installation build number>-mqtt-connector-1

AMQP Connector

amqp-connector

mlad-release-5.0.0-<installation build number>-amqp-connector-1

HTTP Connector

http-connector

mlad-release-5.0.0-<installation build number>-http-connector-1

KICS Connector

kics3-connector

mlad-release-5.0.0-<installation build number>-kics3-connector-1

CEF Connector

cef-connector

mlad-release-5.0.0-<installation build number>-cef-connector-1

WebSocket Connector

ws-connector

mlad-release-5.0.0-<installation build number>-ws-connector-1

Docker API Server

docker-api-server

mlad-release-5.0.0-<installation build number>-docker-api-server-1

Migrations

migrations

mlad-release-5.0.0-<installation build number>-migrations-1

Push Server

Push server

mlad-release-5.0.0-<installation build number>-push-server-1

 

webstatic

mlad-release-5.0.0-<installation build number>-webstatic-1

The Info logging level is used for the Time Series Database, Message Broker, Logger, Database and Web Server services, and for webstatic image. The logging levels for all other Kaspersky MLAD services are defined by the system administrator when configuring the application settings.

In this section

Scenario: viewing information security event logs

Scenario: assessing the main metrics of Kaspersky MLAD

Scenario: viewing container logs and metrics

Page top
[Topic 248127]

Scenario: viewing information security event logs

Before starting to work with the logging subsystem, it is recommended to read the Grafana User Guide.

The maximum volume and storage time for information security event entries are defined when configuring the security settings.

Information security event logs are written to the Kaspersky MLAD database automatically. If necessary, the system administrator can specify the settings of an external system to which the information security event logs should be sent.

The scenario for viewing information security event logs consists of the following steps:

  1. Navigating to the logging subsystem

    Go to the logging system by clicking the A sheet of paper with text icon. button. This opens the Grafana interface in which you need to enter the name and password of the Kaspersky MLAD user.

    Available only to the system administrators and users with the Manage application logs permission.

  2. Navigating to the section containing information security event logs

    Go to the Security audit section.

  3. Analyzing information security event logs

    Analyze the information security event log entries for the selected period. You can filter them based on parameters of the information security event logs. To do so, click the A filter icon. button in the column containing the relevant log parameter, select the check boxes next to the necessary filtering criteria, and click OK. To reset the filtering criteria, clear the relevant check boxes and click OK.

  4. Exporting information security event logs

    To export the information security event logs for the selected period to a text file, under Security audit, choose InspectData from the vertical menu An icon in the form of three dots arranged vertically. in the upper right corner of the information security event log table, and in the panel that opens, click Download CSV.

Page top
[Topic 248128]

Scenario: assessing the main metrics of Kaspersky MLAD

Before starting to work with the logging subsystem, it is recommended to read the Grafana User Guide.

When connecting to the logging subsystem for the first time, you must change the default password.

This subsection provides a sequence of actions that must be performed to assess the health and general state of Kaspersky MLAD.

The scenario for assessing the health and general state of Kaspersky MLAD consists of the following steps:

  1. Navigating to the logging subsystem

    Go to the logging system by clicking the A sheet of paper with text icon. button. This opens the Grafana interface in which you need to enter the name and password of the Kaspersky MLAD user.

    Available only to the system administrators and users with the Manage application logs permission.

  2. Analyzing the main metrics of Kaspersky MLAD

    In the Summary docker metrics section, analyze the graphs of the main Kaspersky MLAD metrics for the selected period.

    The following metrics are displayed for each container of Kaspersky MLAD services:

    • CPU usage – history of central processor workload caused by the container. This is measured as a percentage.
    • RAM usage – history of the container's RAM usage. This is measured in bytes.
    • Disk usage Read/Write – history of the container's load on the disk subsystem (read/write operations). This is measured in bytes.
    • Network usage – history of the container's use of network resources. This is measured in bytes per second.
Page top
[Topic 248129]

Scenario: viewing container logs and metrics

Before starting to work with the logging subsystem, it is recommended to read the Grafana User Guide.

The Kaspersky MLAD log stores entries only for the last 48 hours.

This subsection provides steps for assessing the performance and viewing the logs of a specific container from the Kaspersky MLAD distribution kit.

The scenario for assessing the performance and viewing the logs of a specific container consists of the following steps:

  1. Navigating to the logging subsystem

    Go to the logging system by clicking the A sheet of paper with text icon. button. This opens the Grafana interface in which you need to enter the name and password of the Kaspersky MLAD user.

    Available only to the system administrators and users with the Manage application logs permission.

  2. Navigating to the section with container logs and metrics

    Go to the Service detailed monitoring section and select the relevant container from the Container drop-down list.

  3. Analyzing container metrics

    In the Service detailed monitoring section, analyze the graphs of Kaspersky MLAD metrics for the selected container during the relevant period.

    The Service detailed monitoring section provides the following metrics:

    • Memory – history of the container's RAM usage. This is measured in bytes.
    • CPU – history of central processor workload caused by the container. This is measured as a percentage.
    • File system – history of the container's load on the disk subsystem (read/write operations). This is measured in bytes.
    • Network – history of the container's use of network resources. This is measured in bytes per second.
  4. Analyzing container metrics

    Analyze the container log records for the selected period, which are displayed under the metrics dashboard. You can search the container log records. To do so, enter a search query in the Log search field and press the ENTER key. To reset the search results, clear the Log search field and press the ENTER key.

  5. Exporting container logs

    To export container logs for the selected period to a text file, under Service detailed monitoring, choose InspectData from the vertical menu An icon in the form of three dots arranged vertically. in the upper right corner of the relevant metric section, and in the panel that opens, click Download CSV.

Page top
[Topic 248130]