etw type

Settings for a connector of the etw type are described in the following tables.

Basic settings tab

Setting

Description

Name

Unique name of the resource. Maximum length of the name: 128 Unicode characters.

Required setting.

Tenant

The name of the tenant that owns the resource.

Required setting.

Type

Connector type. You need to select etw.

Required setting.

URL

URL of the DNS server.

Required setting.

Session name

Session name that corresponds to the ETW provider: Microsoft-Windows-DNSServer {EB79061A-A566-4698-9119-3ED2807060E7}.

If in a connector of the etw type, the session name is specified incorrectly, the wrong provider is specified in the session, or an incorrect method is specified for sending events (to send events correctly, on the Windows Server side, you must specify "Real time" or "File and Real time" mode), events will not arrive from the agent, an error will be recorded in the agent log on Windows, and the status of the agent will be green. At the same time, no attempt will be made to get events every 60 seconds. If you modify session settings on the Windows side, you must restart the etw agent and/or the session for the changes to take effect.

For details about specifying session settings on the Windows side to receive DNS server events, see the Configuring receipt of DNS server events using the ETW agent section.

Required setting.

Extract event information

Extraction of the minimum set of event information that can be obtained without having to download third-party metadata from the disk. This method helps conserve CPU resources on the computer with the agent. By default, the toggle switch is enabled and all event data is extracted.

Extract event properties

Extraction of event properties. If this toggle switch is disabled, event properties are not extracted, which helps save CPU resources on the machine with the agent. By default, the toggle switch is enabled and event properties are extracted. You can use the Extract event properties switch only if the Extract event information toggle switch is enabled.

Description

Description of the resource. Maximum length of the description: 4000 Unicode characters.

Advanced settings tab

Setting

Description

Debug

Resource logging. The toggle switch is turned off by default.

Character encoding

Character encoding. The default value is UTF-8.

TLS mode

TLS encryption mode using certificates in pem x509 format. Available values:

  • Disabled means TLS encryption is not used. The default value.
  • Enabled means TLS encryption is used, but certificates are not verified.
  • With verification means TLS encryption is used with verification of the certificate signed with the KUMA root certificate. The root certificate and key of KUMA are created automatically during application installation and are stored on the KUMA Core server in the folder /opt/kaspersky/kuma/core/certificates/.

When using TLS encryption, you cannot specify an IP address as the URL.

Compression

Using Snappy compression. Available values:

  • Disabled. The default value.
  • Use Snappy.

If you edit a connector of this type, the TLS mode and Compression settings are visible and available on the connector resource as well as the collector. If you are using a connector of this type on a collector, the values of TLS mode and Compression settings are sent to the destination of automatically created agents.

Page top