General troubleshooting
April 11, 2024
ID 171563
This section provides information to help you solve problems that you might encounter when using Kaspersky CyberTrace.
If you have encountered problems while using Kaspersky CyberTrace, ensure that:
- The CyberTrace service is started.
Windows: Use the
sc query cybertrace
command to check the service status from the command line.Linux: Use the
systemctl status cybertrace.service
command to check the service status from the terminal. - You have enough free disk space and RAM on the CyberTrace server.
- The web page https://wlinfo.kaspersky.com is accessible from the CyberTrace server.
To check accessibility of this web page both for Windows and Linux, use the following command:
curl -v --cert /opt/kaspersky/ktfs/dmz/feeds.pem [--proxy user:password@proxy-server.ru:3128] https://wlinfo.kaspersky.com/api/v1.0/feeds
As a result of this check, you may have a list of available feeds according to the certificate, for example:
{
"name": "TI Demo Botnet C&C URL Data Feed",
"updates":
{"href": "https://wlinfo.kaspersky.com/api/v1.0/feeds/85/updates"},
"license":
{"expires": "2024-02-19T00:00:00"}
}
If the result contains an error, send the output of this command to Technical Support.
- The event source (SIEM) is available from the CyberTrace server.
- Web UI:
Select the Settings > Service tab. Under Service sends events to, in the IP address text box, enter the IP address of SIEM; and in the Port text box, enter the port of SIEM.
- In the
kl_feed_service.conf
configuration file (check this only if the CyberTrace service cannot run):Windows:
\Kaspersky Lab\Kaspersky CyberTrace\bin\kl_feed_service.conf
Linux:
opt/kaspersky/ktfs/etc/kl_feed_service.conf
The following is an example of settings from the configuration file:
<OutputSettings>
<ConnectionString>127.0.0.1:9998</ConnectionString>
</OutputSettings>
Check the port used by the source to connect to CyberTrace.
Make sure that the embedded firewall service is configured to receive events from the source to CyberTrace on the correct port.
Make sure that the embedded firewall service on the SIEM side is configured to receive detects from CyberTrace on the correct port.
- Web UI:
If the problem is not solved, contact Technical Support, and attach the following:
- Configuration file for CyberTrace Windows:
\Kaspersky Lab\Kaspersky CyberTrace\bin\kl_feed_service.conf
- Configuration file for CyberTrace Linux:
opt/kaspersky/ktfs/etc/kl_feed_service.conf
There are two ways of getting the configuration file:
- If the web interface is available, select Settings>Service>Export configuration files.
- If the CyberTrace service cannot be started, copy the files from the directories and specify the applicable paths for the different operating systems.
- CyberTrace log files of the debug level
For more information, see Logging settings and Kaspersky CyberTrace Service logging.
You should be aware that you will send Technical Support the debug log files containing full incoming events.
- Screenshots describing the problem.
- Results of running the
collect.sh
script.Running the
collect.sh
script creates a report containing all basic diagnostic information from your computer.Before sending the report to Technical Support, remove all confidential information from it.
For information on how to create a report, see https://support.kaspersky.com/15732.