Configuration file (Log Scanner)

The Log Scanner configuration file is an XML file that contains parameters described in the table below. If this file is not present in the directory or some parameters are not present in the file, the default values are used for the missing parameters.

Configuration file parameters

Parameter

Description

Verbose

Affects the Log Scanner output to the console. If the value contained in the Verbose element is "False" or "0", or the element is omitted, little information is printed to the console. Otherwise, detailed information is printed.

ThreadsCount

Maximum number of threads that Log Scanner can use when processing input data.

By default, up to 8 threads are used.

OutputDir

Directory that will contain the output file. It can be either an absolute or a relative path. A relative path is calculated relative to the directory that contains the Log Scanner binary file.

If the OutputDir parameter is not set, the output file is stored in the directory where the Log Scanner binary file resides.

Pattern

The utility sends requests to Kaspersky CyberTrace Service in the format specified in the Pattern element. The following parameters can be used:

  • %IP%—The value to be checked if the utility is called with the -i (--ip) parameter.
  • %MD5%—The value to be checked if the utility is called with the -s (--hash) parameter and the value is an MD5 hash.
  • %SHA1%—The value to be checked if the utility is called with the -s (--hash) parameter and the value is an SHA1 hash.
  • %SHA256%—The value to be checked if the utility is called with the -s (--hash) parameter and the value is an SHA256 hash.
  • %URL%—The value to be checked if the utility is called with the -u (--url) parameter.

    By default, the following value is used:

ip=%IP% md5=%MD5% sha1=%SHA1% sha256=%SHA256% url=%URL%

Connection

Specifies the IP address and port (or the Windows-named pipe, or UNIX socket) to which Log Scanner will send the received data.

  • If you use one of non-supported SIEM systems, the Connection parameter should specify how to connect to that solution.
  • If you do not use a SIEM system, the Connection parameter should specify how to connect to Kaspersky CyberTrace Service.

    The value depends on the way in which Log Scanner interacts with a SIEM system or Kaspersky CyberTrace Service.

  • If they interact using TCP/IP, specify in the Connection element the IP address and port on which Kaspersky CyberTrace Service receives events.
  • If they interact through a Windows-named pipe, specify in the Connection element the named pipe on which Kaspersky CyberTrace Service receives events. The pipe name must be specified in format \\.\pipe\<pipe_name>.
  • If they interact through a UNIX socket, specify in the Connection element the socket on which Kaspersky CyberTrace Service receives events.

By default, the data is sent to 127.0.0.1:9999.

SocketTimeout

Number of seconds that Log Scanner waits for the socket or pipe specified in the Connection parameter to resume sending data.

If the value of this parameter is 0, Log Scanner waits indefinitely.

The maximum value of this parameter that you can set is 1000.

By default, the timeout is 15 seconds.

Configuration file example

<Settings>

<Verbose>0</Verbose>

<ThreadsCount>8</ThreadsCount>

<OutputDir>../log_scanner_reports</OutputDir>

<Pattern>ip=%IP% md5=%MD5% sha1=%SHA1% sha256=%SHA256% url=%URL%</Pattern>

<Connection>127.0.0.1:9999</Connection>

<SocketTimeout>15</SocketTimeout>

</Settings>

Page top