General troubleshooting

This section provides information to help you solve problems you might encounter when using Kaspersky CyberTrace.

If you have encountered problems while using Kaspersky CyberTrace, ensure that:

• The CyberTrace service is started.

  Windows: use the sc query cybertrace command to сheck the service status from the command line.

  Linux: use the systemctl status cybertrace.service command to check the service status from the terminal.

• You have enough free disk space and RAM on the CyberTrace server.
• The web page https://wlinfo.kaspersky.com is accessible from the CyberTrace server.

  To check accessibility of this web page both for Windows and Linux, use the following command: 
  curl -v --cert /opt/kaspersky/ktfs/dmz/feeds.pem [--proxy user:password@proxy-server.ru:3128] https://wlinfo.kaspersky.com/api/v1.0/feeds

  As a result of check, you may have the list of available feeds according to the certificate, for example:

  { "name": "TI Demo Botnet C&C URL Data Feed", "updates": {"href": "https://wlinfo.kaspersky.com/api/v1.0/feeds/85/updates"}, "license": {"expires": "2024-02-19T00:00:00"} }

  Send the output of this command to Technical Support, if the result contains an error.

• The event source (SIEM) is available from the CyberTrace server.
  • Web UI:

    Select the Settings > Service tab. Under Service sends events to, in the IP address text box enter the IP address of SIEM, and in the Port text box enter the port of SIEM.

  • In the kl_feed_service.conf configuration file (check this only if the CyberTrace service cannot run):

    Windows: \Kaspersky Lab\Kaspersky CyberTrace\bin\kl_feed_service.conf

    Linux: opt/kaspersky/ktfs/etc/kl_feed_service.conf

    The following is an example of settings from the configuration file:

  <OutputSettings> <ConnectionString>127.0.0.1:9998</ConnectionString> </OutputSettings>

  Check the port used by the source to connect to CyberTrace.

  Make sure that the embedded firewall service is configured to receive events from the source to CyberTrace on the correct port.

  Make sure that the embedded firewall service on the SIEM side is configured to receive detects fro CyberTrace on the correct port.

If the problem is not solved, contact Technical Support, and attach the following:

• Configuration file for CyberTrace Windows: \Kaspersky Lab\Kaspersky CyberTrace\bin\kl_feed_service.conf
• Configuration file for CyberTrace Linux: opt/kaspersky/ktfs/etc/kl_feed_service.conf

  There are two ways of getting the configuration file:

  • If web interface is available, select Settings>Service>Export configuration files.
  • If CyberTrace service cannot be started, copy the files from the directories, specifying the applicable paths for different operating systems.
• CyberTrace log files of debug level

  For more information, see Logging settings and Feed Service logging.

  You should be aware that you send to the Technical Support the debug log files containing full incoming events.

• Screenshots describing the problem.
• Results of the collect.sh script running.

  Running the collect.sh script creates a report containing all basic diagnostic information from your computer.

  Before sending the report to Technical Support, remove all information that you consider confidential from it.

  For information on how to create a report, see https://support.kaspersky.com/15732.

Page top