Watchdog module workflow

This section describes the watchdog module workflow.

How watchdog mode works (Linux)

Kaspersky CyberTrace can run in watchdog mode. In this case, a separate module monitors the service and re-launches it when it freezes or crashes. It works as follows:

  1. Every two minutes, the watchdog module sends a message to Kaspersky CyberTrace Service.
  2. If this message is received, a response is sent back in the same TCP connection.
  3. If the watchdog module has not received the response, it performs the following steps:
    1. The watchdog module sends a notification (a KL_ALERT_ServiceUnavailable event) to the event target software that Kaspersky CyberTrace Service is unavailable.
    2. If logging is turned on, the watchdog module writes information about the Kaspersky CyberTrace Service unavailability to the watchdog module log (a separate log).
    3. The watchdog module starts Kaspersky CyberTrace Service.
    4. If logging is turned on, the watchdog module writes information about the restart of Kaspersky CyberTrace Service to the watchdog module log.
    5. Kaspersky CyberTrace Service sends a notification (a KL_ALERT_ServiceStarted event) to the event target software that Kaspersky CyberTrace Service started.

You can run Kaspersky CyberTrace Service in watchdog mode from the command line or by using the script.

How watchdog mode works (Windows)

Kaspersky CyberTrace runs in watchdog mode: the watchdog service monitors Kaspersky CyberTrace Service and re-launches it when it freezes or crashes. It works as follows:

  1. Every four minutes, the watchdog service sends a message to Kaspersky CyberTrace Service.
  2. If this message is received, a response is sent back in the same TCP connection.
  3. If the watchdog service has not received the response, the following steps are performed:
    1. The watchdog service sends a notification (a KL_ALERT_ServiceUnavailable event) to the event target software that Kaspersky CyberTrace Service is unavailable.
    2. If logging is turned on, the watchdog service writes information about Kaspersky CyberTrace Service unavailability to the watchdog service log (a separate log).
    3. The watchdog service starts Kaspersky CyberTrace Service.
    4. If logging is turned on, the watchdog service writes information about the Kaspersky CyberTrace Service restart to the watchdog service log.
    5. Kaspersky CyberTrace Service sends a notification (a KL_ALERT_ServiceStarted event) to the event target software that Kaspersky CyberTrace Service has started.

When you run Kaspersky CyberTrace Service in watchdog mode, make sure that one scanner (the ServiceSettings > ScannersCount element in the configuration file) is reserved for the watchdog module.

The watchdog service binary file kl_watchdog_service.exe is launched from the command line. The binary file uses the flags described in the following table.

Flags for kl_watchdog_service.exe

Flag

Description

--reg

Adds the watchdog service to the list of Windows services.

--del

Removes the watchdog service from the list of Windows services.

--svc

Starts the watchdog service as a Windows service.

Note that only Service Control Manager can run kl_watchdog_service.exe with this flag. If the user tries to run kl_watchdog_service.exe with this flag, an error occurs.

--help (or -h)

Prints information about flags that can be used with kl_watchdog_service.exe.

If no flag is specified, the kl_watchdog_service.exe program prints the list of available flags to the screen.

Restarting Kaspersky CyberTrace Service by the watchdog module

Kaspersky CyberTrace Service can be launched in watchdog mode. In this case, the watchdog module monitors Kaspersky CyberTrace Service to make sure that it keeps running. When the watchdog module detects that the service has crashed or frozen, it notifies the SIEM solution and restarts the service. Kaspersky CyberTrace Service starts working and notifies the SIEM solution. Therefore, you can look in the SIEM solution log to learn the period during which Kaspersky CyberTrace Service was not active.

Diagram of restarting Feed Service by using the watchdog module.

Restarting Kaspersky CyberTrace Service using the watchdog module

Page top