KUMA services

Services are the main components of KUMA that help the system to manage events: services allow you to receive events from event sources and subsequently bring them to a common form that is convenient for finding correlation, as well as for storage and manual analysis. Each service consists of two parts that work together:

• One part of the service is created inside the KUMA web interface based on set of resources for services.
• The second part of the service is installed in the network infrastructure where the KUMA system is deployed as one of its components. The server part of a service can consist of multiple instances: for example, services of the same agent or storage can be installed on multiple devices at once.

  On the server side, KUMA services are located in the /opt/kaspersky/kuma directory.

  When you install KUMA in high availability mode, only the KUMA Core is installed in the cluster. Collectors, correlators, and storages are hosted on hosts outside of the Kubernetes cluster.

Parts of services are connected to each other via the service ID.

Service types:

• Storages are used to save events.
• Correlators are used to analyze events and search for defined patterns.
• Collectors are used to receive events and convert them to KUMA format.
• Agents are used to receive events on remote devices and forward them to KUMA collectors.

In the KUMA web interface, services are displayed in the Resources → Active services section in table format. The table of services can be updated using the Refresh button and sorted by columns by clicking on the active headers.

The maximum table size is not limited. If you want to select all services, scroll to the end of the table and select the Select all check box, which selects all available services in the table.

Table columns:

• Status—service status:
  • Green means that the service is running.
  • Red means that the service is not running.
  • Yellow means that there is no connection with ClickHouse nodes (this status is applied only to storage services). The reason for this is indicated in the service log if logging was enabled.
  • Gray—if a deleted tenant had a running service that continues to work, that service is displayed with a gray status on the Active services page. Services with the gray status are kept to let you copy the ID and remove services on your servers. Only the General administrator can delete services with the gray status.
• Type—type of service: agent, collector, correlator, or storage.
• Name—name of the service. Clicking on the name of the service opens its settings.
• Version—service version.
• Tenant—the name of the tenant that owns the service.
• FQDN—fully qualified domain name of the service server.
• IP address—IP address of the server where the service is installed.
• API port—Remote Procedure Call port number.
• Uptime—the time showing how long the service has been running.
• Created—the date and time when the service was created.

The table can be sorted in ascending and descending order, as well as by the Status parameter. To sort active services, right-click the context menu and select one or more statuses.

You can use the buttons in the upper part of the Services window to perform the following group actions:

• Add service

  You can create new services based on existing service resource sets. We do not recommend creating services outside the main tenant without first carefully planning the inter-tenant interactions of various services and users.

• Refresh list
• Update configuration
• Restart
• Reset certificate
• Delete

To perform an action with an individual service, right-click the service to display its context menu. The following actions are available:

• Copy service ID

  You need this ID to install, restart, stop, or delete the service.

• Go to Events
• Update service configuration
• Restart service
• Download log

  If you want to receive detailed information, enable the Debug mode in the service settings.

• Reset certificate
• Delete service

To change a service, select a service under Resources → Active services. This opens a window with a set of resources based on which the service was created. You can edit the settings of the set of resources and save your changes. To apply the saved changes, restart the service.

If, when changing the settings of a collector resource set, you change or delete conversions in a normalizer connected to it, the edits will not be saved, and the normalizer itself may be corrupted. If you need to modify conversions in a normalizer that is already part of a service, the changes must be made directly to the normalizer under Resources → Normalizers in the web interface.