File type

The file type is used to retrieve data from any text file. One string in a file is considered to be one event. Strings delimiter: \n. This type of connector is available for Linux agents and for Windows agents.

To read Windows files, you need to create a connector of the 'file' type and manually install the agent on Windows. In one Windows Agent, you can configure multiple connections of different types, but there must be only one of the 'file' type. The Windows agent must not read its files in the folder where the agent is installed. The connector will work even with a FAT file system; if the disk is defragmented, the connector re-reads all files from scratch because all inodes of files are reset.

We do not recommend running the agent under an administrator account; read permissions for folders/files must be configured for the user account of the agent. We do not recommend installing the agent on important systems; it is preferable to send the logs and read them on dedicated hosts with the agent.

When creating this type of connector, you need to define values for the following settings:

• Basic settings tab:
  • Name (required)—a unique name for this type of resource. Must contain 1 to 128 Unicode characters.
  • Tenant (required)—name of the tenant that owns the resource.
  • Type (required)—connector type, file.
  • File path (required)—full path to the file that you need to interact with. For example, /var/log/*som?[1-9].log or с:\folder\logs.*. The following paths are not allowed:
    • `(?i)^[a-zA-Z]:\\Program Files`
    • `(?i)^[a-zA-Z]:\\Program Files \(x86\)`
    • `(?i)^[a-zA-Z]:\\Windows`
    • `(?i)^[a-zA-Z]:\\ProgramData\\Kaspersky Lab\\KUMA`

    File and folder mask templates

    Masks:

    • '*'—matches any sequence of characters.
    • '[' [ '^' ] { range of characters } ']'—class of characters (should not be left blank).
    • '?'—matches any single character.

    Ranges of characters:

    • [0-9]—digits;
    • [a-zA-Z]—Latin alphabet characters.

    Examples:

    • /var/log/*som?[1-9].log
    • /mnt/dns_logs/*/dns.log
    • /mnt/proxy/access*.log

    Limitations when using prefixes in file paths

    Prefixes that cannot be used when specifying paths to files:

    • /*
    • /bin
    • /boot
    • /dev
    • /etc
    • /home
    • /lib
    • /lib64
    • /proc
    • /root
    • /run
    • /sys
    • /tmp
    • /usr/*
    • /usr/bin/
    • /usr/local/*
    • /usr/local/sbin/
    • /usr/local/bin/
    • /usr/sbin/
    • /usr/lib/
    • /usr/lib64/
    • /var/*
    • /var/lib/
    • /var/run/
    • /opt/kaspersky/kuma/

    Files are available at the following paths:

    • /opt/kaspersky/kuma/clickhouse/logs/
    • /opt/kaspersky/kuma/mongodb/log/
    • /opt/kaspersky/kuma/victoria-metrics/log/

    Limiting the number of files for watching by mask

    The number of files simultaneously watched by mask can be limited by the max_user_watches setting of the Core. To view the value of a setting, run the following command:

    cat /proc/sys/fs/inotify/max_user_watches

    If the number of files for watching exceeds the value of the max_user_watches setting, the collector cannot read any more events from the files and the following error is written to the collector log:

    Failed to add files for watching {"error": "no space left on device"}

    To make sure that the collector continues to work correctly, you can configure the appropriate rotation of files so that the number of files does not exceed the value of the max_user_watches setting, or increase the max_user_watches value.

    To increase the value of the setting:

    sysctl fs.inotify.max_user_watches=<number of files>

    sysctl -p

    You can also add the value of the max_user_watches setting to sysctl.conf so make sure it is kept indefinitely.

    After you increase the value of the max_user_watches setting, the collector resumes correct operation.

  • Auditd is the toggle switch of the mechanism that groups auditd log event records received from a connector into a single event. Auditd only supports the \n delimiter, so if the toggle switch is enabled, the Delimiter field becomes unavailable. If the Auditd toggle switch is enabled in the agent connector, the \n delimiter must be configured in the connector of the collector to which the agent sends events.
  • For Windows is a toggle switch that, when turned on, enables the receipt of Windows event log events from the Windows agent. In that case, the Auditd switch must be turned off. By default, the For Windows toggle switch is turned off.
  • Description—resource description: up to 4,000 Unicode characters.
• Advanced settings tab:
  • Debug—a toggle switch that lets you specify whether resource logging must be enabled. By default, this toggle switch is in the Disabled position.
  • Buffer size is the setting that lets you specify the size in bytes of the buffer for accumulating events in RAM before sending them for storage or for further processing.

    Default value: 1048576 bytes (1 MB).

    Possible values: positive integer less than or equal to 67108864 bytes (64 MB).

  • Number of handlers is the setting that is used to set the number of services processing the queue. You can determine the number of handlers use the formula: (<number of CPU cores>/2) + 2.
  • Poll interval, ms is the setting that lets you set the interval with which the connector re-reads the directory with files. The value is in milliseconds. The connector wait for specified time only if there are no changes in the file. If the file is continuously modified, and Poll interval = 5000 milliseconds, the 5-second interval for re-reading the files in the directory is not observed, and instead they are re-read continuously. If there are no changes in the file, the connector waits for 5 seconds. If 0 is set in the web interface, the default value of 700 ms is used. We recommend setting Poll interval, ms to at least the Event buffer TTL value because otherwise the Auditd option may be adversely affected.
  • Character encoding setting specifies character encoding. The default value is UTF-8.
  • Event buffer TTL is the time to live of the buffer for grouping records into a single auditd event. This field is available if the Auditd toggle switch is enabled. The countdown starts the moment when the first event line is received, or immediately after the previous TTL expires. Possible values: 700 ms to 3000 ms. The default value is 2000 ms.
  • Transport header—for auditd events, you must specify a regular expression to be used for identifying parts of the auditd log. You can use the default or edit it to suit your needs; the regular expression must contain the record_type_name, record_type_value, and event_sequence_number groups. If a multi-line auditd event contains a prefix, the prefix is retained for the first record, and for subsequent entries, the prefix is discarded.

    You can revert to the original value by clicking Set default value.