- Kaspersky CyberTrace Help
- About Kaspersky CyberTrace
- Installation and integration guides
- Installation and integration overview
- Hardware and software requirements
- Distribution kit contents
- Part 1: Installing Kaspersky CyberTrace
- Part 2: Integrating Kaspersky CyberTrace with an event source
- Integration with Kaspersky Unified Monitoring and Analysis Platform
- Integration with Splunk
- Integration schemes in general (Splunk)
- Single-instance integration (Splunk)
- About the single-instance integration scheme
- Step 1. Installing Kaspersky CyberTrace App (single-instance deployment)
- Step 2 (optional). Configuring Kaspersky CyberTrace App (single-instance deployment)
- Step 3 (optional). Configuring the lookup script (single-instance deployment)
- Step 4. Performing the verification test (Splunk, single-instance integration)
- Distributed integration scheme (Splunk)
- About the distributed integration scheme
- Step 1. Installing Forwarder and Search Head apps
- Step 2. Configuring Forwarder and Search Head apps (distributed deployment)
- Step 3 (optional). Configuring the lookup script (distributed deployment)
- Step 4. Performing the verification test (Splunk, distributed integration)
- Integration with ArcSight
- About integration in general (ArcSight)
- Before you begin (ArcSight)
- Standard integration (ArcSight)
- Integration schemes (ArcSight)
- Step 1. Importing the ARB package
- Step 2. Installing ArcSight Forwarding Connector
- Step 2 (alternative). Installing ArcSight Forwarding Connector by using the console
- Step 3. Configuring Kaspersky CyberTrace for interaction with ArcSight
- Step 4. Performing the verification test (ArcSight)
- Specifying custom ArcSight user in ArcSight Forwarding Connector settings
- Integration with QRadar
- Standard integration (QRadar)
- About the standard integration scheme (QRadar)
- Step 1. Configuring QRadar to receive latest updates
- Step 2. Sending a set of events to QRadar
- Step 3. Forwarding events from QRadar to Kaspersky CyberTrace Service
- Step 4. Performing the verification test (QRadar)
- Step 5. Retrieving custom event properties
- Step 6. Creating a search filter for Kaspersky CyberTrace events
- Step 7 (optional). Displaying events in a dashboard
- Step 8 (optional). Creating notifications about incoming service events
- Step 9 (optional). Installing Kaspersky CyberTrace App for QRadar
- Step 10 (optional). Enabling the indexes of the added custom event properties
- Step 11 (optional). Configuring Kaspersky CyberTrace App for QRadar
- Alternative integration (QRadar)
- Standard integration (QRadar)
- Integration with RSA NetWitness
- Integration steps (RSA NetWitness)
- Before you begin (RSA NetWitness)
- Standard integration (RSA NetWitness)
- About the standard integration scheme (RSA NetWitness)
- Step 1. Forwarding events from RSA NetWitness
- Step 2. Sending events from Kaspersky CyberTrace Service to RSA NetWitness
- Step 3 (optional). Importing a meta group for browsing fields filled by Kaspersky CyberTrace Service
- Step 4 (optional). Importing Kaspersky CyberTrace Service rules to RSA NetWitness
- Step 5 (optional). Importing a preconfigured report to RSA NetWitness
- Step 6 (optional). Importing preconfigured charts and a dashboard to RSA NetWitness
- Step 7. Performing the verification test (RSA NetWitness)
- Integration with LogRhythm
- Step 1. Adding a Custom Log Source type
- Step 2. Importing Kaspersky CyberTrace rules and events
- Step 3 (optional). Adding Kaspersky CyberTrace events
- Step 4 (optional). Adding Kaspersky CyberTrace rules
- Step 5. Adding Kaspersky CyberTrace policy
- Step 6. Adding a log source to System Monitor Agent
- Step 7. Configuring log forwarding to Kaspersky CyberTrace
- Step 8. Performing the verification test
- Step 9 (optional). Creating alerts about incoming Kaspersky CyberTrace service events
- Step 10 (optional). Displaying service alerts in LogRhythm
- Integrating with other solutions
- Extra integration scenarios
- User guides
- Using Kaspersky CyberTrace Web
- Application for Splunk
- Application for QRadar
- Working with events in ArcSight
- Working with events in RSA NetWitness
- Log Scanner Guide
- Administrator guides
- Managing Kaspersky CyberTrace Web
- Working with default credentials
- Service settings
- Feeds settings
- Importing a certificate for Kaspersky Threat Data Feeds
- Specifying the feeds update period
- Enabling and disabling feeds
- Selecting available fields for a feed
- Adding actionable fields to a feed
- Specifying filtering rules for a feed
- Truncating a feed
- Specifying a retention period for feed records
- Launching a feeds update manually
- About custom, third-party, and Kaspersky feeds
- Adding a custom or third-party feed
- Configuring a custom or third-party feed
- Managing false positives
- Managing tags
- Matching process settings
- Detections storage settings
- Event format settings
- User settings
- Logging settings
- Licensing settings
- Tenants settings
- Indicators export settings
- Retrospective scan settings
- Kaspersky CyberTrace Web notifications
- Kaspersky CyberTrace Service Guide
- About Kaspersky CyberTrace Service
- Managing Kaspersky CyberTrace Service
- Kaspersky CyberTrace Service configuration reference
- Enabling differential feeds
- Kaspersky CyberTrace Service logging
- About resending detection alerts
- Kaspersky CyberTrace Service in ReplyBack mode
- Features of event processing by Kaspersky CyberTrace Service
- Limitations on Kaspersky CyberTrace Service incoming events
- Extending detection categories
- Feed Utility guide
- Using Kaspersky CyberTrace in High Availability mode
- Using Password Utility
- Choosing the best feeds for your environment
- Upgrading and managing the installation
- Managing the installation on Linux systems
- Managing the installation on Windows systems
- Upgrading Kaspersky CyberTrace from a previous version
- About the upgrade process
- Upgrading automatically on Linux
- Upgrading automatically on Windows
- Upgrading Kaspersky CyberTrace integration (QRadar)
- Upgrading Kaspersky CyberTrace integration (Splunk)
- Upgrading Kaspersky CyberTrace integration (ArcSight)
- Upgrading Kaspersky CyberTrace integration (RSA)
- Upgrading Kaspersky CyberTrace integration (LogRhythm)
- Uninstalling Kaspersky CyberTrace
- Adding self-signed SSL certificates for Kaspersky CyberTrace Web
- Kaspersky Threat Intelligence Portal access token
- VirusTotal plug-in access token
- Testing the connection with Kaspersky CyberTrace Service and the availability of feeds
- Managing Kaspersky CyberTrace Web
- Developer guides
- REST API reference
- Troubleshooting
- Risk mitigation
- How to get technical support
- Information about third-party code
- Trademark notices
Administrator guides > Using Kaspersky CyberTrace in High Availability mode > Balancer logging
Balancer logging
Balancer logging
Balancer uses the logging parameters specified in kl_balancer_log.conf.
When deploying Balancer to a computer without Kaspersky CyberTrace, copy kl_balancer_log.conf from the bin directory to the same directory as the Balancer binary file.
Log files name format
Balancer writes messages to files named "kl_balancer-<pid>-<date_time>.log".
Log file contents
If the err logging level is used, Balancer writes the following information to the log:
- Errors occurred during Balancer initialization.
- Errors occurred while establishing connections with Kaspersky CyberTrace instances.
- Errors occurred while establishing connection with a REST API client.
- Errors occurred while receiving the results of events matching.
- Service alerts from Kaspersky CyberTrace.
If the inf logging level is used, Balancer writes the following information to the log:
- Balancer version, OS version, and PID of Balancer process.
- Information to be written at the
errlogging level. - Establishing or closing connections with Kaspersky CyberTrace instances.
- Establishing or closing connection with a REST API client.
- Receiving and sending requests and responses to and from Kaspersky CyberTrace instances.
- Receiving and sending requests and responses to and from a REST API client.
- Switching Balancer to ReplyBack mode.
- Switching Balancer to operation within the EPS limit.
- Switching Balancer to operation without the EPS limit.
- Average EPS per hour.
- Changes in the Kaspersky CyberTrace licensing level.
If the dbg logging level is used, Balancer writes the following information to the log:
- Information to be written at the
inflogging level. - The values of Balancer configuration file parameters.
This information is logged on Balancer initialization.
- Incoming events processed by Balancer.
If there is no kl_balancer_log.conf file in the directory of Balancer binary file, Balancer will not write logs.
Article ID: 214599, Last review: Feb 20, 2025