Troubleshooting

This section contains information to help solve problems that you might encounter while using Kaspersky CyberTrace.

General troubleshooting

This section provides information to help you solve problems you might encounter when using Kaspersky CyberTrace.

If you encounter a problem while using Kaspersky CyberTrace, the specialists at Kaspersky can assist you. Contact your technical account manager (TAM) for more information about solutions to problems.

Problem: An error occurs when installing Kaspersky CyberTrace in Windows by using the executable installer

To solve this problem:

1. Locate the log file of the executable installer:
   1. Navigate to the C:\Windows\temp folder.
   2. In this folder, locate the installation log file. This file is named ktfs_install_%timestamp%.log, where %timestamp% is the time of the installation in the "yyyymmddhhmmss" format.
2. In the log file, look for an error message that contains additional details about the error.
3. If the information in the log file does not help you to solve the error, contact your technical account manager (TAM).

Problem: The result of the verification test (self-test) is unexpected

To solve this problem when using Kaspersky CyberTrace Web:

1. If one or more Kaspersky Threat Data Feeds fail the self-test that you ran on the Settings > Service tab by clicking Run self-test:
   • If you defined any filtering rules on the Settings > Feeds tab, in the Filtering rules for feeds section, in the Filtering rules subsection, remove these filtering rules, and then click Save at the bottom of the page.
   • On the Settings > Feeds tab, in the Feeds update section, click the Launch update now button to update your feeds.

   Re-run the self-test. If all Kaspersky Threat Data Feeds pass the test, add the filtering rules again, if necessary. If the problem persists, please contact your technical account manager (TAM).

2. If one or more Kaspersky Threat Data Feeds fail the verification test that you ran to check whether Kaspersky CyberTrace is correctly integrated with your SIEM solution:
   1. Check the feeds through Kaspersky CyberTrace Web:
      • If you defined any filtering rules on the Settings > Feeds tab, in the Filtering rules for feeds section, in the Filtering rules subsection, remove these filtering rules, and then click Save at the bottom of the page.
      • On the Settings > Feeds tab, in the Feeds update section, click the Launch update now button to update your feeds.

      Re-run the self-test. If all Kaspersky Threat Data Feeds pass the test, add the filtering rules again by using Kaspersky CyberTrace Web, if necessary.

   2. Check the connection between the computer with Kaspersky CyberTrace and the computer with your SIEM solution, in both directions; that is, make sure that the computer with Kaspersky CyberTrace can be reached from the computer with your SIEM solution, and the computer with your SIEM solution can be reached from the computer with Kaspersky CyberTrace. Execute the following command on the command line:

      ping %ip%

      Here, %ip% is the IP address of the computer with Kaspersky CyberTrace (if the command is executed on the computer with your SIEM solution) or the IP address of the computer with your SIEM solution (if the command is executed on the computer with Kaspersky CyberTrace).

   3. Depending on the execution result of the ping command, do one of the following:
      • If the command failed on any computer, please ask your system administrator to check and, if necessary, reconfigure the firewall.
      • If the command finished successfully on both the Kaspersky CyberTrace computer and the computer with your SIEM solution installed—and if you tried the solutions suggested in step 2a above but are still getting the wrong verification test results—please contact your technical account manager (TAM).

To solve this problem if you do not use Kaspersky CyberTrace Web, do the following:

• If you defined any filtering rules in the Feed Utility configuration file, remove them and run Feed Utility for the changes to take effect.

  Re-run the verification test. If all Kaspersky Threat Data Feeds pass the test, add the filtering rules to the configuration file again, if necessary.

• Check the connection between the computer with Kaspersky CyberTrace and the computer with your SIEM solution in both directions. That is, make sure that the computer with Kaspersky CyberTrace can be reached from the computer with your SIEM solution, and that the computer with your SIEM solution can be reached from the computer with Kaspersky CyberTrace. Execute the following command on the command line:

  ping %ip%

  Here, %ip% is the IP address of the computer with Kaspersky CyberTrace (if the command is executed on the computer with your SIEM solution) or the IP address of the computer with your SIEM solution (if the command is executed on the computer with Kaspersky CyberTrace).

• Depending on the execution result of the ping command, do one of the following:
  • If the command failed on any computer, please ask your system administrator to check and, if necessary, reconfigure the firewall.
  • If the command finished successfully and you tried (without result) editing the Feed Utility configuration file by removing the filtering rules and then running Feed Utility, please contact your technical account manager (TAM).

Problem: Feed Service cannot start

To solve this problem, try the following actions:

• Make sure that the port specified in the input settings is open.
• Check that the Feed Service configuration file is correct.
• Perform the initial configuration of Kaspersky CyberTrace:

  /opt/kaspersky/ktfs/bin/configure -i

Problem: Feed Service does not write logs

To solve this problem, try the following actions:

• Make sure that Feed Service is running.
• Check the settings specified in the kl_feed_service_log.conf file.
• Contact your technical account manager (TAM).

Problem: The feeds cannot be downloaded

To solve this problem, try the following actions:

• Make sure that authentication of the proxy server is successful.
• Make sure that the certificate provided by your TAM is valid and has not expired.

Problem: The certificate cannot be authenticated

The "peer certificate cannot be authenticated with given CA certificates" error message appears in this case.

To solve this problem, try the following actions:

Make sure that you have the correct root certificate installed on your system. If you do not have the required root certificate, follows these steps:

1. Go to https://wlinfo.kaspersky.com/ and authenticate with your certificate.
2. In the leftmost part of the address bar of your browser, click the "lock" icon and select Certificate.

   The Certificate window opens.

3. In the Certificate window, select the Certification Path tab.
4. Select the root certificate (the certificate at the top of the certification path) and click the View Certificate button.

   The Certificate window opens.

5. In the Certificate window, select the Details tab.
6. In the table that appears, find the Serial number field and note its value. Do not close the window.
7. Go to https://www.digicert.com/digicert-root-certificates.htm and use the serial number from step 6 to find the required root certificate.
8. Download this root certificate and follow the standard procedure for your operating system to install it to the certificate store.

   When following the linked procedure, make sure that you use the root certificate downloaded in steps 7 and 8, and not the one exported through a browser by clicking Copy to File.

You can use this procedure to solve the same problem with https://127.0.0.1 (or https://localhost) and other sites that Kaspersky CyberTrace visits to download custom or third-party feeds.

Problem: Microsoft Internet Explorer 11 does not display fonts and font styles properly

The cause of this problem may be the accessibility settings of Internet Explorer.

To solve this problem, try the following actions:

1. Open Internet Explorer.
2. Select the Tools button, and then select Internet options.
3. Select the General tab, and then select Accessibility.
4. Make sure that the Ignore font styles specified on webpages and Ignore font sizes specified on webpages check boxes are not selected.
5. Click OK, and then OK again.

Feed Utility troubleshooting

This section provides information to help you solve problems you might encounter when using Feed Utility.

If you encounter a problem while using Feed Utility, the specialists at Kaspersky can assist you. Contact your technical account manager (TAM) for more information about solutions to problems.

Network problems

If Feed Utility does not download feeds, or you encounter any network-related problem:

• Check that the certificate specified in the configuration file is valid. The default certificate from the distribution kit can be used to download demo feeds only.
• Check that the network is configured properly.

If you want Feed Utility to access Kaspersky servers through a proxy server, use the --set-proxy command to configure the proxy server parameters. In this case, make sure that your user name and password for the proxy server are valid and have not expired.

An SSL error while downloading a third-party feed

If an SSL error occurs while downloading a third-party feed:

• Check that your operating system has a root certificate for the third-party feed source. If required, import the root certificate for the third-party feed source using standard system tools and utilities.

Problems with feed processing

If Feed Utility does not process feeds as required:

• Check that the configuration file parameters are specified without typos. Feed Utility ignores parameter names with typos. For example, if you specify a ReqFields parameter instead of RequiredFields, Feed Utility will ignore this parameter.
• Check that feed rules and filtering rules are specified correctly. For example, filtering rules may be specified in such a way that no records are included in the resulting feed.
• If you download and unpack feeds (with the -d -u commands) separately from processing them (with the -p command), Feed Utility may print an error message about several versions of the original feed file. Make sure that you delete the original feed files in the directory where Feed Utility unpacks them. Feed Utility does not do this automatically.

Other problems

In case of other problems, contact your technical account manager (TAM).

CyberTrace Web troubleshooting

This section provides information to help you solve problems that you might encounter when using Kaspersky CyberTrace Web.

If you encounter a problem while using Kaspersky CyberTrace Web, the specialists at Kaspersky can assist you. Contact your technical account manager (TAM) for more information about solutions to problems.

Problem: I forgot my password

To solve this problem, try the following actions:

• If your user account role is Analyst, contact your Administrator to change the password.
• If your user account role is Administrator, and you want to change the password for another user, see User settings.
• If your user account role is Administrator, and you want to reset the password for your user account, see Using Password Utility.

Problem: A white screen is displayed when CyberTrace Web is opened in a browser

A possible reason for this problem is the use of an unsupported browser. Please check that you use a supported browser.

Problem: "Could not update feeds" error message is displayed when updating feeds manually

To solve this problem, try the following actions:

• Try to run the update process again later. The source of this problem is another update process that runs at the same time.
• Contact your technical account manager (TAM).

Problem: Untrusted connection error when connecting to Kaspersky CyberTrace Web

The SSL certificates that are generated during the installation of CyberTrace are self-signed, and so the browser you use informs you about an untrusted connection.

To solve this problem, try the following actions:

• (Recommended) Use other certificates that are trusted in your infrastructure.
• If you cannot use other certificates, you can add the initially generated certificates as trusted to your browser or operating system.

Problem: The SSL certificate has expired

The SSL certificates that are generated during the installation of CyberTrace are valid for two years. If the certificates expire, you must generate new certificates.

To solve this problem, try the following actions:

• In Linux:
  • Run the following command in the console:

    %service_dir%/configure --change

  • Specify the same parameters that you specified during the previous CyberTrace installation.
• In Windows:
  • Run the executable installer of Kaspersky CyberTrace.
  • Click the Change button.
  • Specify the same parameters that you specified during the previous Kaspersky CyberTrace installation.

Problem: An error occurred while searching for indicators from a log file or file hashes

There are several possible reasons for this error:

• There is no free disk space on the computer on which Kaspersky CyberTrace is installed.

  We recommend that you do the following:

  • Restart Kaspersky CyberTrace: some files might be left that are related to previous searches.
  • Delete unnecessary files from the computer on which Kaspersky CyberTrace is installed.
• An error occurred while trying to open a file selected for a search. This can occur when a file has been removed or if the Kaspersky CyberTrace process did not have read rights to the file.
• Make sure that the file is not removed and you have access to it.

Problem: Cannot sign in to Kaspersky CyberTrace after it is updated

To solve this problem, try the following actions:

• Clear the browser cache using the standard method for your browser.

Splunk troubleshooting

This section provides information to help you solve problems you might encounter when using Kaspersky CyberTrace with Splunk.

If you encounter a problem while using Kaspersky CyberTrace, the specialists at Kaspersky can assist you. Contact your technical account manager (TAM) for more information about solutions to problems.

Problem: Kaspersky CyberTrace App does not display the events from Feed Service or displays them incorrectly

To solve this problem, try the following actions:

• Make sure that the Feed Service computer is turned on and that Feed Service is running.
• Make sure that the Feed Service computer is accessible from the computer on which Splunk is installed. You can use the ping utility for this purpose.
• Make sure that the Feed Service configuration file contains a correct output connection string (you can check the connection string on the Settings > Service tab in Kaspersky CyberTrace Web).
• Make sure that ports and addresses for incoming events are specified correctly in the Kaspersky CyberTrace App configuration file.
• Make sure that the specified ports are open. You can use the netcat utility for this purpose.
• Try using the default integration scheme for Splunk and Feed Service (in this scheme, the forwarder, indexer, and search head are installed on a single computer).

Problem: Feed Service does not receive events from Splunk

To solve this problem, try the following actions:

• Make sure that the Splunk computer is turned on and that Splunk is running.
• Make sure that the Feed Service computer is accessible from the Splunk computer. You can use the ping utility for this purpose.
• Make sure that the events are forwarded from Splunk to Feed Service. Check that addresses and ports are specified correctly in Kaspersky CyberTrace App configuration files.
• Make sure that ports specified in the Kaspersky CyberTrace App configuration files are open on the Feed Service computer. You can use the netcat utility for this purpose.
• Try using the default integration scheme for Splunk and Feed Service.

ArcSight troubleshooting

This section provides information to help you solve problems you might encounter when using Kaspersky CyberTrace with ArcSight.

If you encounter a problem while using Kaspersky CyberTrace, the specialists at Kaspersky can assist you. Contact your technical account manager (TAM) for more information about solutions to problems.

Problem: ArcSight does not display the events from Feed Service or displays them incorrectly

To solve this problem, try the following actions:

• Make sure that the Feed Service computer is turned on and Feed Service is running (for Windows version, see section "Managing Feed Service using the script (Windows)").
• Make sure that the ArcSight computer is accessible from the Feed Service computer.
• Make sure that the port specified in the output connection string is open.
• Make sure that ArcSight Forwarding Connector and ArcSight SmartConnector (for Windows version, see section "Installing ArcSight SmartConnector (Windows)") are running.
• Make sure that Feed Service listens on the port to which Forwarding Connector sends data from ArcSight ESM.
• Make sure that Feed Service sends the events to ArcSight SmartConnector.
• Check that ArcSight SmartConnector is configured properly.

  For this purpose, run the following command:

  • %ARCSIGHT_HOME%/current/bin/runagentsetup.sh (in Linux)
  • %ARCSIGHT_HOME%\current\bin\runagentsetup.bat (in Windows)

  Here %ARCSIGHT_HOME% is the directory where ArcSight SmartConnector is installed.

Problem: An active channel does not display events after a new ARB package is imported

To solve this problem, try the following actions:

Check the filter used in the active channel:

1. Go to Filters > Shared > All Filters > Public > Kaspersky CyberTrace Connector.
2. Make sure that the device product field has the value of Kaspersky CyberTrace for ArcSight.

Create a new active channel:

1. Delete the current active channel and create a new one.
2. Configure the new active channel as follows:
   • Set the Start Time and End Time parameters as you wish.
   • Set the Use as Timestamp parameter to Manager Receipt Time.
   • If you want the active channel to be updated automatically, select Continuously evaluate in the Time Parameters section of the active channel's properties.
   • In the Filters section, specify the filter that has the same name as the active channel itself. You can find available filters in the tree view of ArcSight Console, at the Filters > Shared > All Filters > Public > Kaspersky CyberTrace Connector location when the Filters item is selected in the drop-down box.
   • In the Fields section, specify the item that has the same name as the active channel itself.

     You can find available fields in the tree view of ArcSight Console, at the Field Sets > Shared > All Field Sets > Public > Kaspersky CyberTrace Connector location when the Field Sets item is selected in the drop-down box.

Problem: Feed Service does not receive events from ArcSight

To solve this problem, try the following actions:

• Make sure that the Feed Service computer is turned on and Feed Service is running (for Windows, see section "Managing Feed Service using the script (Windows)").
• Make sure that the ArcSight computer is turned on and ArcSight is running.
• Make sure that the Feed Service computer is accessible from the ArcSight computer.

  You can use the ping utility for this purpose.

• Make sure that the port that is specified in the input connection string is open on the Feed Service computer.

  You can use the netcat utility for this purpose.

• Check the regular expressions in the Feed Service configuration file or by using the Settings > Events Format tab in Kaspersky CyberTrace Web.
• Make sure that the ArcSight forwarding connector that you installed is running.

  In Linux, you can use the following command for this purpose:

  ps -Af | grep %DIR_NAME%/current/bin

  Here %DIR_NAME% is the directory in which the forwarding connector is installed. If the forwarding connector process is running, the information about it will be displayed in the console.

• If Feed Service stopped receiving events from ArcSight after a new ARB package is imported, register ArcSight Forwarding Connector once more by running the following command and following the instructions of the wizard:

  %ConnectorInstallDir%/current/bin/runagentsetup.sh

  Here %ConnectorInstallDir% is the directory in which ArcSight Forwarding Connector is installed.

Problem: an authentication error occurs in ArcSight Forwarding Connector or the account intended for use by ArcSight Forwarding Connector is absent

To solve this problem, try the following actions:

1. Run ArcSight Console.
2. Select Users > Shared > Custom User Groups.
3. Create the Kaspersky CyberTrace Connector group.
4. Right-click the Kaspersky CyberTrace Connector group, and then select Edit Access Control.
5. Select the Events tab.
6. Click Add.
7. Select the CyberTrace forwarding events filter.
8. Click Save.
9. In the Kaspersky CyberTrace Connector group, specify the following options for the account:
   • Any user name (for example, FwdCyberTrace)
   • In the type field, the Forwarding Connector type
   • Password

These credentials will be used to forward events from ArcSight to Kaspersky CyberTrace.

QRadar troubleshooting

This section provides information to help you solve problems you might encounter when using Kaspersky CyberTrace with QRadar.

If you encounter a problem while using Kaspersky CyberTrace, the specialists at Kaspersky can assist you. Contact your technical account manager (TAM) for more information about solutions to problems.

Problem: QRadar does not display the events from Feed Service or displays them incorrectly

To solve this problem, try the following actions:

• Make sure that the Feed Service computer is turned on and Feed Service is running.
• Make sure that the Feed Service configuration file contains a correct output connection string and the format of output events conforms to the QRadar LEEF standard.
• Make sure that Feed Service is added to QRadar as a log source.
• Make sure that the QIDs of the Feed Service events are imported to QRadar.
• Make sure that the QIDs are correctly mapped to the Feed Service events.
• Make sure that the QRadar computer is accessible from the Feed Service computer.
• Make sure that the port specified in the output connection string is open.

Problem: Feed Service does not receive events from QRadar

To solve this problem, try the following actions:

• Make sure that the events are forwarded from QRadar to Feed Service and the routing rules are set correctly.
• Make sure that the Feed Service computer is turned on and Feed Service is running.
• Make sure that the QRadar computer is turned on and QRadar is running.
• Make sure that the Feed Service computer is accessible from the QRadar computer.

  You can use the ping utility for this purpose.

• Make sure that the port that is specified in the input connection string is open on the Feed Service computer.

  You can use the netcat utility for this purpose.

• Check the regular expressions in the Feed Service configuration file or by using the Settings > Events Format tab in Kaspersky CyberTrace Web.

Problem: After Kaspersky Threat Feed App is installed and custom event properties are added, some of these event properties are incorrectly extracted from the detection event context

To solve this problem, try the following actions:

1. In QRadar Console, select Admin > Custom Event Properties.
2. Locate the custom event properties with the Log Source Type value of Kaspersky CyberTrace by sorting the table by log source type.
3. Select the row corresponding to the property that is extracted incorrectly and click Edit.

   The Custom Event Property Definition window opens.

4. In the Test Field form, paste an example of an event generated by Kaspersky CyberTrace that contains the incorrectly extracted property.
5. In the Property Expression Definition pane, in the Extraction section, change the value in the RegEx field from %property%=([^=]*)(?:\s[^=]+=) to %property%=\[(.*)\], where %property% is the property name.
6. Click Test to make sure the required part of the event is highlighted in the Test Field form.
7. Click Save to apply the changes.

Problem: After Kaspersky Threat Feed App is installed, no chart is displayed

To solve this problem, try the following actions:

• Wait until the data is loaded by QRadar.

  Do the same when you change the log source name in the Kaspersky Threat Feed App settings.

Problem: A search cannot be made using Kaspersky Threat Feed App, or the self-test of Kaspersky Threat Feed App fails

To solve this problem, try the following actions:

• Make sure that you have specified the correct value in the Feed Service Connection String setting of Kaspersky Threat Feed App.
• If Kaspersky CyberTrace is installed on the QRadar computer, add the necessary iptables rules, as described in section "Configuring Kaspersky Threat Feed App".

Problem: When you add a new regular expression to the event output format, QRadar extracts the incorrect corresponding value from Kaspersky CyberTrace detection events

To solve this problem, make sure that event fields in a row are separated by a tab character, as required by the LEEF standard.

RSA NetWitness troubleshooting

This section lists actions that you can undertake and problems that you might encounter while integrating Kaspersky CyberTrace with RSA NetWitness.

If you encounter a problem while using Kaspersky CyberTrace, the specialists at Kaspersky can assist you. Contact your technical account manager (TAM) for more information about solutions to problems.

Checking whether events arrive from RSA NetWitness at Feed Service

There are several ways to check whether RSA NetWitness sends events to Feed Service:

• You can check whether the Feed Service log files contain messages about arriving of events from RSA NetWitness.

  In this case the Feed Service logging configuration file (bin/kl_feed_service_log.conf) must contain the dbg string in the WriteLog element.

• You can use the netcat utility to send events from the computer on which RSA NetWitness is installed and then check whether the corresponding messages are added to the Feed Service log files.
• You can stop Feed Service and use the netcat utility to listen for events from RSA NetWitness by running the following command:

  nc -l -p [port] -s [IP]

  Here [IP] and [port] are the IP address and port to which RSA NetWitness sends events for Feed Service.

• You can use the tcpdump utility to listen on the port where events from RSA NetWitness must arrive.

  The tcpdump utility listens on port [port] if you run the utility by using the following command:

  tcpdump -neX port [port]

  Note that the tcpdump utility may use a different flag (not -neX) depending on the operating system it runs on.

If no event arrives from RSA NetWitness, check the following:

• Check whether all steps listed in section "Forwarding events from RSA NetWitness" are performed correctly.
• Check whether the events arrive at RSA NetWitness from the source device.

  You can check it in the same way as you check whether RSA NetWitness sends events to Feed Service.

• Check that the computer on which Feed Service is installed is accessible from the computer on which RSA NetWitness is installed.

  You can check it by using the ping utility.

Checking whether Feed Service matches events against Kaspersky Threat Data Feeds

Use the Feed Service log files to check whether the URL fields, hash fields, and IP address fields of events are matched against Kaspersky Threat Data Feeds. The log files must contain messages like those provided in the following example.

If there are no such messages in the log files, check whether the Feed Service configuration file contains the correct regular expressions. You can also check the used regular expressions by using Kaspersky CyberTrace Web.

Checking whether Feed Service sends events to RSA NetWitness

You can check whether Feed Service sends events to RSA NetWitness in the following ways:

• By consulting Feed Service log files.

  Following is an example of messages written to the log when an event is successfully sent to RSA NetWitness.

Following is an example of a message written to the log when an event could not be sent to RSA NetWitness.

• By using the tcpdump utility on the computer that receives events from Feed Service.

  The tcpdump utility listens on the IP address [IP] and port 514 if you run the utility by using the following command:

  tcpdump -neX src [IP] and port 514

  In this command specify the IP address at which Feed Service sends events.

  Note that the tcpdump utility may use a different flag (not -neX) depending on the operating system it runs on.

If Feed Service sends no event, check the following:

• Check that the Feed Service log files contain messages about detecting URLs, hashes, or IP addresses.

  If there are no such messages, see the information in subsection "Checking whether Feed Service matches events against Kaspersky Threat Data Feeds". It may also be that the feeds do not contain checked URLs, hashes, and IP addresses.

• Check that the Feed Service configuration file contains the correct destination IP address and port.

Problem: RSA NetWitness does not display events from Feed Service

If RSA NetWitness displays no events from Feed Service, check whether the procedure in section "Step 2. Sending events from Feed Service to RSA NetWitness" is performed correctly.

Note that RSA NetWitness may display events from a device with a delay of 10 minutes.

Problem: The configurator displays an error message when the IP address and port of Log Decoder are specified in the OutputSettings > ConnectionString setting.

An error message like the following can be displayed:

Can't connect using the specified string. Press [Enter] to specify another string, or type "ok" to continue with 10.10.0.127:514

Check that the computer on which RSA NetWitness is installed is accessible from the computer on which Feed Service is installed (for example, by using the ping utility).

Problem: Some fields of events from Feed Service are not displayed in the metafields in RSA NetWitness

If some fields of events from Feed Service are not displayed in the metafields in RSA NetWitness, do the following:

• Check whether the metafields mentioned in the v20_cybertracemsg.xml configuration file have their flags parameter set to None in the /etc/netwitness/ng/envision/etc/table-map-custom.xml configuration file.

  If these fields are absent from table-map-custom.xml, add them as follows:

  <mapping envisionName="url" nwName="url" flags="None" format="Text" envisionDisplayName="URL"/>

• Check whether all the fields described in section "Forwarding events from Feed Service to RSA NetWitness" are contained in the following configuration files:
  • index-logdecoder-custom.xml (if you do not use Concentrator)
  • index-concentrator-custom.xml

  You can browse the contents of these files by selecting Administration > Services. Then select Concentrator (or Log Decoder), click the Settings split button (), and select View > Config > Files. A drop-down list is displayed that contains all these files.

  After you have edited the files, restart Log Decoder or Concentrator so that the new settings will be in place.

  Update only the configuration file of Concentrator (index-concentrator-custom.xml) if both Log Decoder and Concentrator are used, Concentrator receives data from Log Decoder, and Log Decoder receives events from Feed Service. Also, you can leave the configuration file of Log Decoder (index-logdecoder-custom.xml) unchanged if you do not use Log Decoder as the source of data in which you search for events or if you do not use Log Decoder to create reports or dashboards.

  If the configuration files do not contain necessary fields, add these fields as described at https://community.rsa.com/docs/DOC-41760. For example, the index-concentrator-custom.xml file must contain the following lines:

  <key description="virusName" format="Text" level="IndexValues" name="virusname" defaultAction="Open" />

  <key description="user.src" format="Text" level="IndexValues" name="user.src" defaultAction="Open" />

  <key description="ip.src" format="IPv4" level="IndexValues" name="ip.src" defaultAction="Open"/>

  <key description="action" format="Text" level="IndexValues" name="action" defaultAction="Open" />

  <key description="msg" format="Text" level="IndexKeys" name="msg" defaultAction="Open" />

  <key description="event.source" format="Text" level="IndexValues" name="event.source" defaultAction="Open" />

  <key description="device.ip" format="IPv4" level="IndexValues" name="ip.dst" defaultAction="Open"/>

  <key description="ip.dst" format="IPv4" level="IndexValues" name="ip.dst" defaultAction="Open"/>

  <key description="url" format="Text" level="IndexValues" name="url" defaultAction="Open"/>

  <key description="checksum" format="Text" level="IndexValues" name="checksum" defaultAction="Open"/>

Make sure that the values of the name and format fields in the configuration files are equal to the values of the nwName and format fields, respectively, in the table-map-custom.xml file.

Problem: After the Kaspersky CyberTrace dashboard is imported, no data is displayed

A dashlet displays an error message instead.

Dashlet displays no data

To fix this error, reconfigure the dashlet as follows:

1. In the top right area of the dashlet, click the Settings button.

   

   The Settings button

   The Options window opens.

2. Click Browse.

   

   Dashlet parameters

   The Select Chart window opens.

3. Select the chart to be used in the dashlet.

   

   Selecting a chart

4. Click Apply.

   

   The Apply button

Problem: Feed Utility displays the "peer certificate cannot be authenticated with given CA certificates" error message

The certificate cannot be authenticated. Make sure that root certificates are installed on your system. If root certificates are not installed, install them using a standard procedure for installing root certificates on your operating system.