Kaspersky Unified Monitoring and Analysis Platform

Sources status

In KUMA, you can monitor the state of the sources of data received by collectors. There can be multiple sources of events on one server, and data from multiple sources can be received by one collector. Sources of events are identified based on the following fields of events (the data in these fields is case sensitive):

  • DeviceProduct
  • DeviceAddress or DeviceHostName

Lists of sources are generated in collectors, merged in the KUMA Core, and displayed in the program web interface under Sources status on the List of event sources tab. Data is updated every minute.

The rate and number of incoming events serve as an important indicator of the state of the observed system. You can configure monitoring policies such that changes are tracked automatically and notifications are automatically created when indicators reach specific boundary values. Monitoring policies are displayed in the KUMA web interface under Sources status on the Monitoring policies tab.

When monitoring policies are triggered, monitoring events are created and include data about the source of events.

In this section

List of event sources

Monitoring policies

Page top
[Topic 221645]

List of event sources

Sources of events are displayed in the table under Sources statusList of event sources. Data is updated once every minute, and one page can display up to 250 sources. You can sort the table by clicking the column header of the relevant setting. You can use the Search field to search for sources of events. Clicking on a source of events opens an incoming data graph.

The following columns are available:

  • Status—status of the event source:
    • Green—events are being received within the limits of the assigned monitoring policy.
    • Red—the frequency or number of incoming events go beyond the boundaries defined in the monitoring policy.
    • Gray—a monitoring policy has not been assigned to the source of events.

    The table can be filtered by this setting.

  • Name—name of the event source. The name is generated automatically from the following fields of events:
    • DeviceProduct
    • DeviceAddress and/or DeviceHostname
    • DeviceProcessName
    • Tenant

    You can change the name of an event source.

    If the source name is longer than 128 characters, you cannot assign a policy to it or delete it. It is possible export its data to CSV (see below).

  • Host name or IP address—host name or IP address from which the events were forwarded.
  • Monitoring policy—name of the monitoring policy assigned to the event source.
  • Stream—frequency at which events are received from the event source.
  • Lower limit—lower boundary of the permissible number of incoming events as indicated in the monitoring policy.
  • Upper limit—upper boundary of the permissible number of incoming events as indicated in the monitoring policy.
  • Tenant—the tenant that owns the events received from the event source.

If you select sources of events, the following buttons become available:

  • Save to CSV—you can use this button to export data of the selected event sources to a file named event-source-list.csv in UTF-8 encoding.
  • Apply policy and Disable policy—you can use these buttons to enable or disable a monitoring policy for a source of events. When enabling a policy, you must select the policy from the drop-down list. When disabling a policy, you must select how long you want to disable the policy: temporarily or forever.
  • Remove event source from the list—you can use this button to remove an event source from the table. The statistics on this source will also be removed. If a collector continues to receive data from the source, the event source will re-appear in the table but its old statistics will not be taken into account.
Page top
[Topic 221773]

Monitoring policies

Policies for monitoring the sources of events are displayed in the table under Sources statusMonitoring policies. You can sort the table by clicking the column header of the relevant setting. Clicking on a policy opens an information pane containing its settings that can be edited.

The following columns are available:

  • Name—name of the monitoring policy.
  • Lower limit—lower boundary of the permissible number of incoming events as indicated in the monitoring policy.
  • Upper limit—upper boundary of the permissible number of incoming events as indicated in the monitoring policy.
  • Interval—period taken into account by the monitoring policy.
  • Type—type of monitoring policy:
    • byCount—the monitoring policy tracks the number of incoming events.
    • byEPS—the monitoring policy tracks the rate of incoming events.
  • Tenant—the tenant that owns the monitoring policy.

To add a monitoring policy:

  1. In the KUMA web interface, under Sources statusMonitoring policies, click Add policy and define the settings in the opened window:
    • In the Policy name field, enter a unique name for the policy you are creating. The name must contain from 1 to 128 Unicode characters.
    • In the Tenant drop-down list, select the tenant that will own the policy. Your tenant selection determines the specific sources of events that can covered by the monitoring policy.
    • In the Policy type drop-down list, select the method used to track incoming events: by rate or by number.
    • In the Lower limit and Upper limit fields, define the boundaries representing normal behavior. Deviations outside of these boundaries will trigger the monitoring policy, create an alert, and forward notifications.
    • In the Counting period field, specify the period during which the monitoring policy must take into account the data from the monitoring source. The maximum value is 14 days.
    • If necessary, use the Email address button to specify the email addresses that should receive notifications when the KUMA monitoring policy is triggered.

      To forward notifications, you must configure a connection to the SMTP server.

  2. Click Add.

The monitoring policy will be added.

To remove a monitoring policy:

Select the relevant policy, click Delete policy and confirm this action.

You cannot remove preinstalled monitoring policies or policies that have been assigned to data sources.

Page top
[Topic 221775]