Kaspersky MLAD uses the Grafana logging system to monitor the state of application services and to track information security events.
Tracking information security events of Kaspersky MLAD in the logging subsystem
The table below shows the types of information security events that are tracked in Kaspersky MLAD.
Types of information security events
Information security event ID in the logging system |
Information security event type |
|---|---|
|
Connecting and attempting to connect users to Kaspersky MLAD |
|
Verifying user rights when performing actions in the Kaspersky MLAD web interface |
|
Terminating a Kaspersky MLAD user connection |
|
Starting, stopping, and restarting Kaspersky MLAD services |
|
Editing user accounts |
|
Changing Kaspersky MLAD settings |
|
Creating, modifying, and deleting models |
|
Importing, creating, modifying, and deleting tags |
|
Deleting information security event logs from the Kaspersky MLAD database when the log storage volume is exceeded or when their storage term expires |
Each entry about an information security event contains the following parameters:
These information security events include entries involving users being granted access to perform a specific action in the web interface, and regarding the successful completion of any user actions.
These information security events include entries involving user actions in the web interface for managing ML models, tags, user accounts and passwords, and entries regarding exceeded thresholds for storage time and volume of information security event logs.
These information security events include entries involving users entering an incorrect login and/or password when connecting to the web interface of the application, and entries regarding unsuccessful attempts to change a password.
These information security events include entries involving attempts to connect to the application web interface using a system account or a blocked account, and entries regarding attempts to perform specific actions in the application without the appropriate access rights.
Tracking the state of Kaspersky MLAD services in the logging subsystem
Kaspersky MLAD services whose states are monitored in the logging subsystem are identified based on the names of their corresponding containers or images in Docker. In most cases, the abbreviated name of the service is used as the name of the image. The container name is formed according to the following template:
<application directory>-<image name>-#,
where # is the number of the Docker container.
By default, Kaspersky MLAD uses the mlad-release-4.0.2-<installation build number directory.>
The Kaspersky MLAD log stores entries about the state of application services only for the last 48 hours.
The table below presents the correspondence between Kaspersky MLAD services and the names of Docker containers and images.
Correspondence between Kaspersky MLAD services and the names of Docker containers and images
Kaspersky MLAD service |
Image name |
Container name |
|---|---|---|
Anomaly Detector |
anomaly_detector |
mlad-release-4.0.2-<installation build number>-anomaly_detector-1 |
Time Series Database |
influxdb |
mlad-release-4.0.2-<installation build number>-influxdb-1 |
Message Broker |
kafka |
mlad-release-4.0.2-<installation build number>-kafka-1 |
Keeper |
keeper |
mlad-release-4.0.2-<installation build number>-keeper-1 |
Logger |
logger |
mlad-release-4.0.2-<installation build number>-logger-1 |
Database |
postgres |
mlad-release-4.0.2-<installation build number>-postgres-1 |
Similar Anomaly |
similar_anomaly |
mlad-release-4.0.2-<installation build number>-similar_anomaly-1 |
Event Processor |
event-processor |
mlad-release-4.0.2-<installation build number>-event-processor-1 |
Stream Processor |
stream-processor |
mlad-release-4.0.2-<installation build number>-stream-processor-1 |
Trainer |
trainer |
mlad-release-4.0.2-<installation build number>-trainer-1 |
Web Server |
nginx-ui |
mlad-release-4.0.2-<installation build number>-nginx-ui-1 |
API Server |
web-server |
mlad-release-4.0.2-<installation build number>-web-server-1 |
Mail Notifier |
postman |
mlad-release-4.0.2-<installation build number>-postman-1 |
OPC UA Connector |
opcua-connector |
mlad-release-4.0.2-<installation build number>-opcua-connector-1 |
MQTT Connector |
mqtt-connector |
mlad-release-4.0.2-<installation build number>-mqtt-connector-1 |
AMQP Connector |
amqp-connector |
mlad-release-4.0.2-<installation build number>-amqp-connector-1 |
HTTP Connector |
gate |
mlad-release-4.0.2-<installation build number>-gate-1 |
KICS Connector |
kics3-connector |
mlad-release-4.0.2-<installation build number>-kics3-connector-1 |
CEF Connector |
cef-connector |
mlad-release-4.0.2-<installation build number>-cef-connector-1 |
WebSocket Connector |
ws-connector |
mlad-release-4.0.2-<installation build number>-ws-connector-1 |
|
webstatic |
mlad-release-4.0.2-<installation build number>-webstatic-1 |
|
migrations |
mlad-release-4.0.2-<installation build number>-migrations-1 |
The Info logging level is used for the Time Series Database, Message Broker, Logger, Database and Web Server services, and for webstatic and migrations images. The logging levels for all other Kaspersky MLAD services are defined by the system administrator when configuring the application settings.