Watchdog module workflow

This section describes the watchdog module workflow.

How watchdog mode works (Linux)

Kaspersky CyberTrace can run in watchdog mode. In this case, a separate module monitors the service and re-launches it when it freezes or crashes. It works as follows:

  1. Every two minutes, the watchdog module sends a message to Feed Service.
  2. If this message is received, a response is sent back in the same TCP connection.
  3. If the watchdog module has not received the response, it performs the following steps:
    1. The watchdog module sends a notification (a KL_ALERT_ServiceUnavailable event) to the event target software that Feed Service is unavailable.
    2. If logging is turned on, the watchdog module writes information about the Feed Service unavailability to the watchdog module log (a separate log).
    3. The watchdog module starts Feed Service.
    4. If logging is turned on, the watchdog module writes information about the restart of Feed Service to the watchdog module log.
    5. Feed Service sends a notification (a KL_ALERT_ServiceStarted event) to the event target software that Feed Service started.

You can run Feed Service in watchdog mode from the command line or by means of the script.

How watchdog mode works (Windows)

When you run Feed Service in watchdog mode, make sure that one scanner (the ServiceSettings > ScannersCount parameter in the configuration file) is reserved for the watchdog module.

Kaspersky CyberTrace runs in watchdog mode: the watchdog service monitors Feed Service and re-launches it when it freezes or crashes. It works as follows:

  1. Every four minutes, the watchdog service sends a message to Feed Service.
  2. If this message is received, a response is sent back in the same TCP connection.
  3. If the watchdog service has not received the response, the following steps are performed:
    1. The watchdog service sends a notification (a KL_ALERT_ServiceUnavailable event) to the event target software that Feed Service is unavailable.
    2. If logging is turned on, the watchdog service writes information about Feed Service unavailability to the watchdog service log (a separate log).
    3. The watchdog service starts Feed Service.
    4. If logging is turned on, the watchdog service writes information about the Feed Service restart to the watchdog service log.
    5. Feed Service sends a notification (a KL_ALERT_ServiceStarted event) to the event target software that Feed Service has started.

Make sure that one scanner (the ServiceSettings > ScannersCount parameter in the configuration file) is reserved for the watchdog service.

The watchdog service binary file kl_watchdog_service.exe is launched from the command line. The binary file uses the flags described in the following table.

Flags for kl_watchdog_service.exe

Flag

Description

--reg

Adds the watchdog service to the list of Windows services.

--del

Removes the watchdog service from the list of Windows services.

--svc

Starts the watchdog service as a Windows service.

Note that only Service Control Manager can run kl_watchdog_service.exe with this flag. If the user tries to run kl_watchdog_service.exe with this flag, an error occurs.

--help (or -h)

Prints information about flags that can be used with kl_watchdog_service.exe.

If no flag is specified, the kl_watchdog_service.exe program prints the list of available flags to the screen.

Restarting Feed Service by the watchdog module

Feed Service can be launched in watchdog mode. In this case, the watchdog module monitors Feed Service to make sure that it keeps running. When the watchdog module detects that the service has crashed or frozen, it notifies the SIEM solution and restarts the service. Feed Service starts working and notifies the SIEM solution. Therefore, you can look in the SIEM solution log to learn the period during which Feed Service was not active.

FeedService3

Restarting Feed Service using the watchdog module

Page top