Kaspersky Next XDR Expert
1.2

Contents

Services tools

This section describes the tools for working with services available in the ResourcesActive services section of the KUMA Console.

In this section

Getting service identifier

Stopping, starting, checking status of the service

Restarting the service

Deleting the service

Partitions window

Searching for related events
Page top
[Topic 217948]

Getting service identifier

The service identifier is used to bind parts of the service residing within KUMA and installed in the network infrastructure into a single complex. An identifier is assigned to a service when it is created in KUMA, and is then used when installing the service to the server.

To get the identifier of a service:

  1. Log in to the KUMA Console and open ResourcesActive services.
  2. Select the check box next to the service whose ID you want to obtain, and click Copy ID.

The identifier of the service will be copied to the clipboard. It can be used, for example, for installing the service on a server.

Page top
[Topic 217885]

Stopping, starting, checking status of the service

While managing KUMA, you may need to perform the following operations.

  • Temporarily stop the service. For example, when restoring the Core from backup, or to edit service settings related to the operating system.
  • Start the service.
  • Check the status of the service.

The "Commands for stopping, starting, and checking the status of a service" table lists commands that may be useful when managing KUMA.

Commands for stopping, starting, and checking the status of a service

Service

Stop service

Start service

Check the status of the service

Core

sudo systemctl stop kuma-core-<service ID>.service

sudo systemctl start kuma-core-<service ID>.service

sudo systemctl status kuma-core-<service ID>.service

Services with an ID:

  • collector
  • correlator
  • storage

sudo systemctl stop kuma-<collector/correlator/storage>-<service ID>.service

sudo systemctl start kuma-<collector/correlator/storage>-<service ID>.service

sudo systemctl status kuma-<collector/correlator/storage>-<service ID>.service

Services without an ID:

  • kuma-grafana.service
  • kuma-mongodb.service
  • kuma-victoria-metrics.service
  • kuma-vmalert.service

sudo systemctl stop kuma-<grafana/victoria-metrics/vmalert>.service

sudo systemctl start kuma-<grafana/victoria-metrics/vmalert>.service

sudo systemctl status kuma-<grafana/victoria-metrics/vmalert>.service

Windows agents

To stop an agent service:

1. Copy the agent ID in the KUMA Console.

2. Connect to the host on which you want to start the KUMA agent service.

3. Run PowerShell as an account that has administrative privileges.

4. Run the following command in PowerShell:

Stop-Service -Name "WindowsAgent-<agent ID>"

To start an agent service:

1. Copy the agent ID in the KUMA Console.

2. Connect to the host on which you want to start the KUMA agent service.

3. Run PowerShell as an account that has administrative privileges.

4. Run the following command in PowerShell:

Start-Service -Name "WindowsAgent-<agent ID>"

To view the status of an agent service:

1. In Windows, go to the Start → Services menu, and in the list of services, double-click the relevant KUMA agent.

2. This opens a window; in that window, view the status of the agent in the Service status field.

Page top
[Topic 267189]

Restarting the service

To restart the service:

  1. Log in to the KUMA Console and open ResourcesActive services.
  2. Select the check box next to the service and select the necessary option:
    • Update configuration—perform a hot update of a running service configuration. For example, you can change the field mapping settings or the destination point settings this way.
    • Restart—stop a service and start it again. This option is used to modify the port number or connector type.

      Restarting KUMA agents:

      • KUMA Windows Agent can be restarted as described above only if it is running on a remote computer. If the service on the remote computer is inactive, you will receive an error when trying to restart from KUMA. In that case you must restart KUMA Windows Agent service on the remote Windows machine. For information on restarting Windows services, refer to the documentation specific to the operating system version of your remote Windows computer.
      • KUMA Agent for Linux stops when this option is used. To start the agent again, you must execute the command that was used to start it.
    • Reset certificate—remove certificates that the service uses for internal communication. This option may not be used to renew the Core certificate. To renew KUMA Core certificates, they must be reissued.

      Special considerations for deleting Windows agent certificates:

      • If the agent has the green status and you select Reset certificate, KUMA deletes the current certificate and creates a new one, the agent continues working with the new certificate.
      • If the agent has the red status and you select Reset certificate, KUMA generates an error that the agent is not running. In the agent installation folder %APPDATA%\kaspersky\kuma\<Agent ID>\certificates, manually delete the internal.cert and internal.key files and start the agent manually. When the agent starts, a new certificate is created automatically.

      Special considerations for deleting Linux agent certificates:

      1. Regardless of the agent status, apply the Reset certificate option in the web interface to delete the certificate in the databases.
      2. In the agent installation folder, /opt/kaspersky/agent/<Agent ID>/certificates, manually delete the internal.cert and internal.key files.
      3. Since the Reset certificate option stops the agent, to continue its operation, start the agent manually. When the agent starts, a new certificate is created automatically.
Page top
[Topic 217977]

Deleting the service

Before deleting the service get its ID. The ID will be required to remove the service for the server.

To remove a service in the KUMA Console:

  1. Log in to the KUMA Console and open ResourcesActive services.
  2. Select the check box next to the service you want to delete, and click Delete.

    A confirmation window opens.

  3. Click OK.

The service has been deleted from KUMA.

To remove a service from the server, run the following command:

sudo /opt/kaspersky/kuma/kuma <collector/correlator/storage> --id <service ID> --uninstall

The service has been deleted from the server.

Page top
[Topic 217840]

Partitions window

If the storage service was created and installed, you can view its partitions in the Partitions table.

To open Partitions table:

  1. Log in to the KUMA Console and open ResourcesActive services.
  2. Select the check box next to the relevant storage and click Go to partitions.

The Partitions table opens.

The table has the following columns:

  • Tenant—the name of the tenant that owns the stored data.
  • Created—partition creation date.
  • Space—the name of the space.
  • Size—the size of the space.
  • Events—the number of stored events.
  • Transfer to cold storage—the date when data will be migrated from the ClickHouse clusters to cold storage disks.
  • Expires—the date when the partition expires. After this date, the partition and the events it contains are no longer available.

You can delete partitions.

To delete a partition:

  1. Open the Partitions table (see above).
  2. Open the More-DropDown drop-down list to the left from the required partition.
  3. Select Delete.

    A confirmation window opens.

  4. Click OK.

The partition has been deleted. Audit event partitions cannot be deleted.

Page top
[Topic 217949]

Searching for related events

You can search for events processed by the Correlator or the Collector services.

To search for events related to the Correlator or the Collector service:

  1. Log in to the KUMA Console and open ResourcesActive services.
  2. Select the check box next to the required correlator or collector and click Go to Events.

    This opens a new browser tab with the KUMA Events section open.

  3. To find events, click the magn-glass icon.

    A table with events selected by the ServiceID = <ID of the selected service> search expression is displayed.

    loc_events

    Event search results

When searching for events, you may encounter the following shard unavailability error:

Code: 279. DB::NetException: All connection tries failed. Log: \\n\\nTimeout exceeded while connecting to socket(host.example.com:port, connection timeout 1000 ms)\\nTimeout exceeded while connecting to socket (host.example.com:port, connection timeout 1000 ms)\\nTimeout exceeded while connecting to socket (host.example.com:port, connection timeout 1000 ms)\\n\\n: While executing Remote. (ALL_CONNECTION_TRIES_FAILED) (version 23.8.8.207)\\n\"}",

In this case, you need to override the ClickHouse configuration in storage settings.

To override the ClickHouse configuration:

  1. In the KUMA Console, in the Resources → Storages section, click the storage resource that you want to edit.

    This opens the Edit storage window.

  2. To skip unavailable shards when searching, insert the following lines into the ClickHouse configuration override field:

    <profiles>

    <default>

    <skip_unavailable_shards>1</skip_unavailable_shards>

    </default>

    </profiles>

  3. To apply the ClickHouse configuration, click Save.
  4. Restart the storage services that depend on this resource.

This resolves the shard unavailability error, and you can proceed to search for events processed by a particular correlator or collector.

Page top
[Topic 217989]