Contents
Viewing the Kaspersky MLAD log
Kaspersky MLAD uses the Grafana logging system to monitor the state of application services and to track information security events.
Tracking information security events of Kaspersky MLAD in the logging subsystem
The table below shows the types of information security events that are tracked in Kaspersky MLAD.
Types of information security events
Information security event ID in the logging system |
Information security event type |
---|---|
|
Connecting and attempting to connect users to Kaspersky MLAD |
|
Verifying user rights when performing actions in the Kaspersky MLAD web interface |
|
Terminating a Kaspersky MLAD user connection |
|
Starting, stopping, and restarting Kaspersky MLAD services |
|
Editing user accounts |
|
Changing Kaspersky MLAD settings |
|
Creating, modifying, and deleting models |
|
Importing, creating, modifying, and deleting tags |
|
Deleting information security event logs from the Kaspersky MLAD database when the log storage volume is exceeded or when their storage term expires |
Each entry about an information security event contains the following parameters:
- event_id is the ID of the information security event.
- timestamp is the date and time of the information security event.
- event_type is the ID of the information security event type.
- sub_type specifies the type of information security event.
- severity is the importance of the information security event. Kaspersky MLAD provides the following severity levels for information security events:
- 1 (low).
These information security events include entries involving users being granted access to perform a specific action in the web interface, and regarding the successful completion of any user actions.
- 5 (medium).
These information security events include entries involving user actions in the web interface for managing ML models, tags, user accounts and passwords, and entries regarding exceeded thresholds for storage time and volume of information security event logs.
- 8 (high).
These information security events include entries involving users entering an incorrect user name and/or password when connecting to the web interface of the application, and entries regarding unsuccessful attempts to change a password.
- 10 (highest).
These information security events include entries involving attempts to connect to the application web interface using a system account or a blocked account, and entries regarding attempts to perform specific actions in the application without the appropriate access rights.
- 1 (low).
- username is the name of the user whose actions resulted in the information security event entry.
- ip_address is the IP address of the computer from which the user performed the action logged into the information security event log.
- outcome is the result of an information security event. The OK result corresponds to successful completion of the operation by the user. The FAIL result corresponds to failure of the user to perform the operation.
- msg is a brief summary of the information security event.
- info is a detailed description of the information security event.
Tracking the state of Kaspersky MLAD services in the logging subsystem
Kaspersky MLAD services whose states are monitored in the logging subsystem are identified based on the names of their corresponding containers or images in Docker. In most cases, the abbreviated name of the service is used as the name of the image. The container name is formed according to the following template:
<
application directory
>-<
image name
>-#
,
where #
is the number of the Docker container.
By default, Kaspersky MLAD uses the mlad-release-5.0.0-<
installation build number
directory.>
The Kaspersky MLAD log stores entries about the state of application services only for the last 48 hours.
The table below presents the correspondence between Kaspersky MLAD services and the names of Docker containers and images.
Correspondence between Kaspersky MLAD services and the names of Docker containers and images
Kaspersky MLAD service |
Image name |
Container name |
---|---|---|
Anomaly Detector |
anomaly_detector |
mlad-release-5.0.0-<installation build number>-anomaly_detector-1 |
Time Series Database |
influxdb |
mlad-release-5.0.0-<installation build number>-influxdb-1 |
Message Broker |
kafka |
mlad-release-5.0.0-<installation build number>-kafka-1 |
Keeper |
keeper |
mlad-release-5.0.0-<installation build number>-keeper-1 |
Logger |
logger |
mlad-release-5.0.0-<installation build number>-logger-1 |
Database |
postgres |
mlad-release-5.0.0-<installation build number>-postgres-1 |
Similar Anomaly |
similar_anomaly |
mlad-release-5.0.0-<installation build number>-similar_anomaly-1 |
Event Processor |
event-processor |
mlad-release-5.0.0-<installation build number>-event-processor-1 |
Stream Processor |
stream-processor |
mlad-release-5.0.0-<installation build number>-stream-processor-1 |
Trainer |
trainer |
mlad-release-5.0.0-<installation build number>-trainer-1 |
Web Server |
nginx-ui |
mlad-release-5.0.0-<installation build number>-nginx-ui-1 |
API Server |
web-server |
mlad-release-5.0.0-<installation build number>-web-server-1 |
Mail Notifier |
postman |
mlad-release-5.0.0-<installation build number>-postman-1 |
OPC UA Connector |
opcua-connector |
mlad-release-5.0.0-<installation build number>-opcua-connector-1 |
MQTT Connector |
mqtt-connector |
mlad-release-5.0.0-<installation build number>-mqtt-connector-1 |
AMQP Connector |
amqp-connector |
mlad-release-5.0.0-<installation build number>-amqp-connector-1 |
HTTP Connector |
http-connector |
mlad-release-5.0.0-<installation build number>-http-connector-1 |
KICS Connector |
kics3-connector |
mlad-release-5.0.0-<installation build number>-kics3-connector-1 |
CEF Connector |
cef-connector |
mlad-release-5.0.0-<installation build number>-cef-connector-1 |
WebSocket Connector |
ws-connector |
mlad-release-5.0.0-<installation build number>-ws-connector-1 |
Docker API Server |
docker-api-server |
mlad-release-5.0.0-<installation build number>-docker-api-server-1 |
Migrations |
migrations |
mlad-release-5.0.0-<installation build number>-migrations-1 |
Push Server |
Push server |
mlad-release-5.0.0-<installation build number>-push-server-1 |
|
webstatic |
mlad-release-5.0.0-<installation build number>-webstatic-1 |
The Info
logging level is used for the Time Series Database, Message Broker, Logger, Database and Web Server services, and for webstatic image. The logging levels for all other Kaspersky MLAD services are defined by the system administrator when configuring the application settings.
Scenario: viewing information security event logs
Before starting to work with the logging subsystem, it is recommended to read the Grafana User Guide.
The maximum volume and storage time for information security event entries are defined when configuring the security settings.
Information security event logs are written to the Kaspersky MLAD database automatically. If necessary, the system administrator can specify the settings of an external system to which the information security event logs should be sent.
The scenario for viewing information security event logs consists of the following steps:
- Navigating to the logging subsystem
Go to the logging system by clicking the
button. This opens the Grafana interface in which you need to enter the name and password of the Kaspersky MLAD user.
Available only to the system administrators and users with the Manage application logs permission.
- Navigating to the section containing information security event logs
Go to the Security audit section.
- Analyzing information security event logs
Analyze the information security event log entries for the selected period. You can filter them based on parameters of the information security event logs. To do so, click the
button in the column containing the relevant log parameter, select the check boxes next to the necessary filtering criteria, and click OK. To reset the filtering criteria, clear the relevant check boxes and click OK.
- Exporting information security event logs
To export the information security event logs for the selected period to a text file, under Security audit, choose Inspect → Data from the vertical menu
in the upper right corner of the information security event log table, and in the panel that opens, click Download CSV.
Scenario: assessing the main metrics of Kaspersky MLAD
Before starting to work with the logging subsystem, it is recommended to read the Grafana User Guide.
When connecting to the logging subsystem for the first time, you must change the default password.
This subsection provides a sequence of actions that must be performed to assess the health and general state of Kaspersky MLAD.
The scenario for assessing the health and general state of Kaspersky MLAD consists of the following steps:
- Navigating to the logging subsystem
Go to the logging system by clicking the
button. This opens the Grafana interface in which you need to enter the name and password of the Kaspersky MLAD user.
Available only to the system administrators and users with the Manage application logs permission.
- Analyzing the main metrics of Kaspersky MLAD
In the Summary docker metrics section, analyze the graphs of the main Kaspersky MLAD metrics for the selected period.
The following metrics are displayed for each container of Kaspersky MLAD services:
- CPU usage – history of central processor workload caused by the container. This is measured as a percentage.
- RAM usage – history of the container's RAM usage. This is measured in bytes.
- Disk usage Read/Write – history of the container's load on the disk subsystem (read/write operations). This is measured in bytes.
- Network usage – history of the container's use of network resources. This is measured in bytes per second.
Scenario: viewing container logs and metrics
Before starting to work with the logging subsystem, it is recommended to read the Grafana User Guide.
The Kaspersky MLAD log stores entries only for the last 48 hours.
This subsection provides steps for assessing the performance and viewing the logs of a specific container from the Kaspersky MLAD distribution kit.
The scenario for assessing the performance and viewing the logs of a specific container consists of the following steps:
- Navigating to the logging subsystem
Go to the logging system by clicking the
button. This opens the Grafana interface in which you need to enter the name and password of the Kaspersky MLAD user.
Available only to the system administrators and users with the Manage application logs permission.
- Navigating to the section with container logs and metrics
Go to the Service detailed monitoring section and select the relevant container from the Container drop-down list.
- Analyzing container metrics
In the Service detailed monitoring section, analyze the graphs of Kaspersky MLAD metrics for the selected container during the relevant period.
The Service detailed monitoring section provides the following metrics:
- Memory – history of the container's RAM usage. This is measured in bytes.
- CPU – history of central processor workload caused by the container. This is measured as a percentage.
- File system – history of the container's load on the disk subsystem (read/write operations). This is measured in bytes.
- Network – history of the container's use of network resources. This is measured in bytes per second.
- Analyzing container metrics
Analyze the container log records for the selected period, which are displayed under the metrics dashboard. You can search the container log records. To do so, enter a search query in the Log search field and press the ENTER key. To reset the search results, clear the Log search field and press the ENTER key.
- Exporting container logs
To export container logs for the selected period to a text file, under Service detailed monitoring, choose Inspect → Data from the vertical menu
in the upper right corner of the relevant metric section, and in the panel that opens, click Download CSV.