Troubleshooting issues with the Kaspersky Unified Monitoring and Analysis Platform agent
Show applications and versions that this article concerns
- Kaspersky Unified Monitoring and Analysis Platform 3.0.3
- Kaspersky Unified Monitoring and Analysis Platform 3.0.2
When working with the Kaspersky Unified Monitoring and Analysis Platform (KUMA) agent, you may encounter issues with connecting to servers, viewing logs and receiving events. In most cases, you can fix these issues on your own.
Error “The RPC server is unavailable”
Issue
You cannot connect to the servers. "The RPC server is unavailable” error occurs in the WMI agent log.
Cause
The service on the destination server is unavailable or is not working properly. The log file will tell you exactly which server failed to connect.
In most cases, the issue is related to Firewall on the server or filtering at the network level.
Solution
For WMI to work properly, the following ports must be open from the agent to the servers:
- 135 / TCP
- 445 / TCP
- 49152-65535 / TCP
To open the required ports via the interface:
- Press Win+R to open the Run window on the event source server.
- Type wf.msc and click OK.
The Windows Defender Firewall with Advanced Security window opens.
- Go to Inbound Rules and select New Rule in the Actions section.
New Inbound Rule Wizard opens.
- Enter the following values:
- Rule Type: Port
- Protocol and Ports: TCP
- Specific local ports: 135, 445, 49152-65535
- Action: Allow the connection (selected by default)
- Profile: clear the Private and Public check boxes.
- Name: specify a rule name for the new inbound connection.
- Click Finish.
To open ports without using the interface, open the command line as an administrator and run the command:
The connection between the agent and the servers will be restored.
Error “Access is denied”
Issue
You cannot connect to event logs. The log file of the event collection agent shows the "Access is denied" error and lists the event logs that could not be accessed.
Cause
The account under which the service is running on Windows does not have the required permissions.
Solution
Check that the account has permissions to the required event logs. Open PowerShell as an administrator and run the command:
The script will list your accesses to the specified event log from SDDL (Security Descriptor Definition Language) strings.
If the account does not have permission to access the event log, grant it.
Events are not received via the WMI agent
Issue
KUMA does not receive events via the WMI agent. The WMI agent service and the collector that receives events from the WMI agent are green. There are no errors in the agent and collector error logs.
Logging data of the installed KUMA collector are located on the server with the Collector role: in the collector file of the /opt/kaspersky/kuma/collector/<collector id>/log folder.
Cause
In most cases, the problem is due to the fact that no delimiter is selected for the destination on the agent side. It must match the delimiter that is selected on the collector receiving events from the WMI agent and have the value \0.
Solution
- Open Edit agent.
- Go to Destinations. Open the Advanced settings tab and set \0 in the Delimiter field.