Feed Service logging
This section describes how Feed Service logs its activity.
Enabling logging
By default, logging is disabled. To enable logging, use the kl_feed_service_log.conf file in the bin directory where the binary file of the service is located. Fill in the kl_feed_service_log.conf file as described in this section. This file is used by Feed Service and the watchdog module. A change in the contents of the kl_feed_service_log.conf file results in the new settings being applied; this process takes several seconds.
Enabling logging decreases the performance of Feed Service. Use logging only if you encounter problems and errors.
Logging and data security
If you enable logging, Feed Service can write to the log files any of the following information that can be considered private, security-related, or sensitive:
- Unmodified data (URLs, IP addresses, hashes, and other data) as it is received by Feed Service.
- The results of checking events against a feed.
Log files are regular text files. No information written to the log files is encrypted. The log files have standard inherited access rights. We recommend that you assign the directory for storing log files the appropriate rights so that only the administrator can read the log files.
Kaspersky CyberTrace does not send log files or any data contained in them to Kaspersky. For technical support purposes, your Technical Account Manager can ask you to provide log files.
Log files are stored until they are explicitly deleted by a user. If the Append parameter in the logging configuration file is 0, the previous log files are deleted when Feed Service is started. If the Append parameter in the logging configuration file is 1, the information is retained during the full cycle of Feed Service usage
If you uninstall Kaspersky CyberTrace, these log files will not be deleted if the directory with log files is located outside of the Feed Service installation directory (as specified by the LogsFolder parameter).
For more information about data written to the log files, see subsection "Log file contents" below.
Logging configuration file
The kl_feed_service_log.conf file is an XML file. Its fields are described in the table below.
Parameter |
Description |
Mandatory / optional |
|---|---|---|
WriteLog |
Log level. One of the following values can be used:
|
Optional By default, |
LogsFolder |
The directory where to store log files. Absolute and relative paths can be used. On Windows, you cannot use the following symbols in the
If you use environment variables in the |
Optional By default, the |
SizeLimit |
The maximum size of the log file, in MB. If |
Optional By default, |
Append |
Indicates whether old log files must be removed ( |
Optional By default, |
UseSyslog |
Indicates whether the system daemon syslog will be used for logging (1) or not (0). This parameter is not used in Windows. |
Optional By default, |
Configuration file example
The following kl_feed_service_log.conf file example enables logging at the dbg logging level. Logs will be stored in the logs subdirectory of the directory where the Feed Service binary file resides.
<Logging> <WriteLog>dbg</WriteLog> <LogsFolder>logs</LogsFolder> <SizeLimit>0</SizeLimit> <Append>0</Append> <UseSyslog>0</UseSyslog> </Logging> |
Log files name format
Feed Service writes messages to files named "kl_feed_service-<pid>-<date_time>.log" or "kl_feed_service-<pid>-<date_time>_<index>.log".
The watchdog module writes messages to files named "kl_feed_servicewd-<pid>-<date_time>.log" or "kl_feed_servicewd-<pid>-<date_time>_<index>.log".
Log file contents
If the err logging level is used, Feed Service writes the following information to the log:
- Feed Service version and PID of the service process.
- The Feed Service configuration file parameters.
- Path to the directory with feeds.
- Errors occurred when normalizing a URL.
- Errors occurred while establishing a TCP connection.
- Watchdog messages:
- Feed Service freezing or crashing.
- Restarting Feed Service.
- Errors that occurred while changing the state of CyberTrace Web interface elements. Identifiers of user sessions where these errors occurred.
- Information about errors that occurred while handling CyberTrace Web HTTP requests:
- Request method, GET or POST.
- Request path for GET and POST requests.
- GET request parameters. For POST requests, the request body is not logged.
- Total elapsed time for handling the request.
If the inf logging level is used, Feed Service writes the following information to the log:
- Information to be written at the
errlogging level. - Establishing or closing a TCP connection.
- Receiving and sending TCP requests and responses.
- Switching Feed Service to same-socket mode.
- Putting new databases into effect.
- Detecting an event that matches some record in a feed.
- Incoming event.
Note that incoming events can contain private data, and so we recommend that you protect the log files from unauthorized access.
- Messages about navigating CyberTrace Web pages. Identifiers of user sessions for these messages.
If the dbg logging level is used, Feed Service writes the following information to the log:
- Information to be written at the
inflogging level. - Substrings in events information that regular expressions match.
- The result of checking an event against a feed.
- Sending test messages to and from the watchdog module.
- Messages about actions performed on CyberTrace Web pages. Identifiers of user sessions for these messages.
- Information about successful CyberTrace Web HTTP requests:
- Request method, GET or POST.
- Request path for GET and POST requests.
- GET request parameters. For POST requests, the request body is not logged.
- Total elapsed time for handling the request.