Connectors are used for establishing connections between KUMA services and receiving events actively and passively.
The program has the following connector types available:
tcp—used to receive data over TCP passively. Available for Windows and Linux agents.
udp—used to receive data over UDP passively. Available for Windows and Linux agents.
netflow—used to passively receive events in the NetFlow format.
sflow—used to passively receive events in the sFlow format. For sFlow, only structures described in sFlow version 5 are supported.
nats-jetstream—used for communication with the NATS message broker. Available for Windows and Linux agents.
kafka—used for communication with the Apache Kafka data bus. Available for Windows and Linux agents.
http—used for receiving events over HTTP. Available for Windows and Linux agents.
sql—used for selecting data from a database.
The program supports the following types of SQL databases:
SQLite.
MSSQL.
MySQL.
PostgreSQL.
Cockroach.
Oracle.
Firebird.
file—used to retrieve data from a text file. Available for Linux agents.
1c-log and 1c-xml are used to receive data from 1C logs. Available for Linux agents.
diode—used for unidirectional data transfer in industrial ICS networks using data diodes.
ftp—used to receive data over the File Transfer Protocol. Available for Windows and Linux agents.
nfs—used to receive data over the Network File System protocol. Available for Windows and Linux agents.
wmi—used to obtain data using Windows Management Instrumentation. Available for Windows agents.
wec—used to receive data using Windows Event Forwarding (WEF) and Windows Event Collector (WEC), or local operating system logs of a Windows host. Available for Windows agents.
snmp—used to receive data using the Simple Network Management Protocol. Available for Windows and Linux agents.
snmp-trap—used to receive data using Simple Network Management Protocol traps (SNMP traps). Available for Windows and Linux agents.
'kata/edr' is used to receive KEDR data via the API.
'vmware' is used to receive VMware vCenter data via the API.
'elastic' is used to receive Elasticsearch data.
'etw' is used to receive extended DNS server logs.
Some connector types (such as tcp, sql, wmi, wec, and etw) support TLS encryption. KUMA supports TLS 1.2 and 1.3. When TLS mode is enabled for these connectors, the connection is established according to the following algorithm:
If KUMA is being used as a client:
KUMA sends a connection request to the server with a ClientHello message specifying the maximum supported TLS version (1.3), as well as a list of supported ciphersuites.
The server responds with the preferred TLS version and a ciphersuite.
Depending on the TLS version in the server response:
If the server responds to the request with TLS 1.3 or 1.2, KUMA establishes a connection with the server.
If the server responds to the request with TLS 1.1, KUMA terminates the connection with the server.
If KUMA is being used as a server:
The client sends a connection request to KUMA with the maximum supported TLS version, as well as a list of supported ciphersuites.
Depending on the TLS version in the client request:
If the ClientHello message of the client request specifies TLS 1.1, KUMA terminates the connection.
If the client request specifies TLS 1.2 or 1.3, KUMA responds to the request with the preferred TLS version and a ciphersuite.