Creating an event router

Expand all | Collapse all

An event router is a service that allows you to receive streams of events from collectors and correlators and then distribute the events to specified destinations in accordance with the configured filters.

To have events from the collector sent to the event router, you must create an 'eventRouter' destination resource with the address of the event router and link the resource to the collectors that you want to send events to the event router.

The event router receives events on the API port, just like storage and correlator destinations.

You can create a router in the Resources section.

Using an event router lets you reduce the utilization of links, which is important for low-bandwidth and busy links.

Possible use cases:

Collector — Router in the data center

Cascade connection: Multiple collectors — Router at the branch office; Router at the branch office — Router in the data center

The event router must be installed on a Linux device. Only a user with the General Administrator role can create the service. You can create a service in any tenant; the tenant relation does not impose any restrictions.

You can use the following metrics to get information about the service performance:

• IO
• Process
• OS

As with other resources, the following audit events are generated for the event router in KUMA:

• Resource was successfully added
• Resource was successfully updated
• Resource was successfully deleted

Installing an event router involves two steps:

• Create the event router service in the KUMA Console using the Installation Wizard.
• Install the event router service on the server.

Starting the event router installation wizard

To start the event router installation wizard:

1. In the KUMA Console, in the Resources section, click Event routers.
2. This opens the Event routers window; in that window, click Add.

Follow the instructions of the installation wizard.

Step 1. General settings of the event router

This is a required step of the Installation Wizard. At this step, you specify the main settings of the event router: its name and the tenant that will own it.

To specify the general settings of the event router:

1. On the Basic settings tab, fill in the following fields:
   1. In the Name field, enter a unique name for the service you are creating. The name must contain 1 to 128 Unicode characters.
   2. In the Tenant drop-down list, select the tenant that will own the event router. An event router belonging to a tenant is organizational in nature and does not impose any restrictions.
   3. If necessary, specify the number of processes that the service can run concurrently in the Handlers field. By default, the number of handlers is the same as the number of vCPUs on the server where the service is installed.
   4. You can optionally add up to 4000 Unicode characters describing the service in the Description field.
2. On the Advanced settings tab, fill in the following fields:
   1. If necessary, use the Debug toggle switch to enable logging of service operations.
   2. You can use the Create dump periodically toggle switch at the request of Technical Support to generate resource (CPU, RAM, etc.) utilization reports in the form of dumps.
   3. In the Dump settings field, you can specify the settings to be used when creating dumps. The specifics of filling in this field must be provided by Technical Support.

General settings of the event router are specified. Proceed to the next step of the Installation Wizard.

Step 2. Routing

This is a required step of the Installation Wizard. We recommend sending events to at least two destinations: to the correlator for analysis and to the storage for storage. You can also select another event router as the destination.

To specify the settings of the destination to which you want the event router to send events received from collectors:

1. In the Routing step of the installation wizard, click Add.
2. This opens the Create destination window; in that window, specify the following settings:
   1. On the Basic settings tab, in the Name field, enter a unique name for the destination. The name must contain 1 to 128 Unicode characters.
   2. You can use the State toggle switch to enable or disable the service as needed.
   3. In the Type drop-down list, select the type of the destination. The following values are available:
      • nats-jetstream
      • tcp
      • http
      • kafka
      • file
      • storage
      • correlator
      • eventRouter
   4. On the Advanced settings tab, specify the values of parameters. The set of parameters that can be configured depends on the type of the destination selected on the Basic settings tab. For detailed information about parameters and their values, click the link for each type of destination in paragraph "c." of these instructions.

The created destination is displayed on the Installation Wizard tab. A destination resource can be removed from the resource set by selecting it and clicking Delete in the opened window.

Routing is configured. You can proceed to the next step of the installation wizard.

Step 3. Setup validation

This is the required, final step of the Installation Wizard.

To create an event router in the installation wizard:

1. Click Create and save service.

   The lower part of the window displays the command that you must use to install the router on the server.

   Example command:

   /opt/kaspersky/kuma/kuma eventrouter --core https://kuma-example:<port used for communication with the KUMA Core> --id <event router service ID> --api.port <port used for communication with the service> --install

   The port for communication with the KUMA Core, the service ID, and the port for communication with the service are added to the command automatically. You must also ensure the network connectivity of KUMA and open the ports used by its components, if necessary.

2. Close the Wizard by clicking Save.

The service is installed in the KUMA Console. You can now proceed with installing the service in the KUMA network infrastructure.

Installing the event router on the server

To install the event router on the server:

1. Log in to the server where you want to install the event router service.
2. Create the /opt/kaspersky/kuma/ folder.
3. Copy the "kuma" file to the "/opt/kaspersky/kuma/" directory. The file is located inside the installer in the "/kuma-ansible-installer/roles/kuma/files/" directory.
4. Make sure the kuma file has sufficient rights to run. If the file is not executable, make it executable:

   sudo chmod +x /opt/kaspersky/kuma/kuma

5. Place the LICENSE file from the /kuma-ansible-installer/roles/kuma/files/ directory in the /opt/kaspersky/kuma/ directory and accept the license by running the following command:

   sudo /opt/kaspersky/kuma/kuma license

6. Create the 'kuma' user:

   sudo useradd --system kuma && usermod -s /usr/bin/false kuma

7. Make the 'kuma' user the owner of the /opt/kaspersky/kuma directory and all files inside the directory:

   sudo chown -R kuma:kuma /opt/kaspersky/kuma/

8. Add the KUMA event router port to firewall exclusions.

   For the program to run correctly, ensure that the KUMA components are able to interact with other components and programs over the network via the protocols and ports specified during the installation of the KUMA components.

9. Execute the following command:

   sudo /opt/kaspersky/kuma/kuma eventrouter --core https://<FQDN of the KUMA Core server>:<port used by KUMA Core server for internal communication (port 7210 by default)> --id <service ID copied from the KUMA web console> --api.port <port used for communication with the installed component> --install

   Example: 

   sudo /opt/kaspersky/kuma/kuma eventrouter --core https://kuma.example.com:7210 --id XXXX --api.port YYYY --install

The event router is installed on the server. You can use it to receive events from collectors and relay the events to specified destinations.