Kaspersky Unified Monitoring and Analysis Platform
2.0
English

Contents

Transferring events from isolated network segments to KUMA

Data transfer scenario

Data diodes can be used to transfer events from isolated network segments to KUMA. Data transfer is organized as follows:

  1. KUMA agent that is Installed on a standalone server, with a diode destination receives events and moves them to a directory from which the data diode will pick up the events.

    The agent accumulates events in a buffer until it overflows or for a user-defined period after the last write to disk. The events are then written to a file in the temporary directory of the agent. The file is moved to the directory processed by the data diode; its name is a combination of the file contents hash (SHA-256) and the file creation time.

  2. The data diode moves files from the isolated server directory to the external server directory.
  3. A KUMA collector with a diode connector installed on an external server reads and processes events from the files of the directory where the data diode places files.

    After all events are read from a file, it is automatically deleted. Before reading events, the contents of files are verified based on the hash in the file name. If the contents fail verification, the file is deleted.

In the described scenario, the KUMA components are responsible for moving events to a specific directory within the isolated segment and for receiving events from a specific directory in the external network segment. The data diode transfers files containing events from the directory of the isolated network segment to the directory of the external network segment.

For each data source within an isolated network segment, you must create its own KUMA collector and agent, and configure the data diode to work with separate directories.

Configuring KUMA components

Configuring KUMA components for transferring data from isolated network segments consists of the following steps:

  1. Creating a collector service in the external network segment.

    At this step, you must create and install a collector to receive and process the files that the data diode will transfer from the isolated network segment. You can use the Collector Installation Wizard to create the collector and all the resources it requires.

    At the Transport step, you must select or create a connector of the diode type. In the connector, you must specify the directory to which the data diode will move files from the isolated network segment.

    The user "kuma" that runs the collector must have read/write/delete permissions in the directory to which the data diode moves data from the isolated network segment.

  2. Creating a set of resources for a KUMA agent.

    At this step, you must create a set of resources for the KUMA agent that will receive events in an isolated network segment and prepare them for transferring to the data diode. The diode agent resource set has the following requirements:

    • The destination resource in the agent must have the diode type. In this resource, you must specify the directory from which the data diode will move files to the external network segment.
    • You cannot select connectors of the sql or netflow types for the diode agent.
  3. Downloading the agent configuration file as JSON file.
    1. The set of agent resources from a diode-type destination must be downloaded as a JSON file.
    2. If secret resources were used in the agent resource set, you must manually add the secret data to the configuration file.
  4. Installing the KUMA agent service in the isolated network segment.

    At this step, you must install the agent in an isolated network segment based on the agent configuration file that was created at the previous step. It can be installed to Linux and Windows devices.

Configuring a data diode

The data diode must be configured as follows:

  • Data must be transferred atomically from the directory of the isolated server (where the KUMA agent places the data) to the directory of the external server (where the KUMA collector reads the data).
  • The transferred files must be deleted from the isolated server.

For information on configuring the data diode, please refer to the documentation for the data diode used in your organization.

Special considerations

When working with isolated network segments, operations with SQL and NetFlow are not supported.

When using the scenario described above, the agent cannot be administered through the KUMA web interface because it resides in an isolated network segment. Such agents are not displayed in the list of active KUMA services.

In this Help topic

Diode agent configuration file

Description of secret fields

Installing Linux Agent in an isolated network segment

Installing Windows Agent in an isolated network segment

See also:

About agents

Collector

Service resource sets
Page top
[Topic 232930]

Diode agent configuration file

A created set of agent resources with a diode-type destination can be downloaded as a configuration file. This file is used when installing the agent in an isolated network segment.

To download the configuration file:

In the KUMA web interface, under ResourcesAgents, select the required set of agent resources with a diode destination and click Download config.

The agent settings configuration is downloaded as a JSON file based on the settings of your browser. Secret resources used in the agent resource set are downloaded empty. Their IDs are specified in the file in the "secrets" section. To use a configuration file to install an agent in an isolated network segment, you must manually add secrets to the configuration file (for example, specify the URL and passwords used in the agent connector to receive events).

You must use an access control list (ACL) to configure permissions to access the file on the server where the agent will be installed. File read access must be available to the user account that will run the diode agent.

Below is an example of a diode agent configuration file with a kafka connector.

{

"config": {

"id": "<ID of the set of agent resources>",

"name": "<name of the set of agent resources>",

"proxyConfigs": [

{

"connector": {

"id": "<ID of the connector resource. This example shows a kafka-type connector, but other types of connectors can also be used in a diode agent. If a connector resource is created directly in the set of agent resources, there is no ID value.>",

"name": "<name of the connector resource>",

"kind": "kafka",

"connections": [

{

"kind": "kafka",

"urls": [

"localhost:9093"

],

"host": "",

"port": "",

"secretID": "<ID of the secret resource>",

"clusterID": "",

"tlsMode": "",

"proxy": null,

"rps": 0,

"maxConns": 0,

"urlPolicy": "",

"version": "",

"identityColumn": "",

"identitySeed": "",

"pollInterval": 0,

"query": "",

"stateID": "",

"certificateSecretID": "",

"authMode": "pfx",

"secretTemplateKind": "",

"certSecretTemplateKind": ""

}

],

"topic": "<kafka topic name>",

"groupID": "<kafka group ID>",

"delimiter": "",

"bufferSize": 0,

"characterEncoding": "",

"query": "",

"pollInterval": 0,

"workers": 0,

"compression": "",

"debug": false,

"logs": [],

"defaultSecretID": "",

"snmpParameters": [

{

"name": "",

"oid": "",

"key": ""

}

],

"remoteLogs": null,

"defaultSecretTemplateKind": ""

},

"destinations": [

{

"id": "<ID of the destination resource. If a destination resource is created directly in the set of agent resources, there is no ID value.>",

"name": "<destination resource name>",

"kind": "diode",

"connection": {

"kind": "file",

"urls": [

"<path to the directory where the destination should place events that the data diode will transmit from the isolated network segment>",

"<path to the temporary directory in which events are placed to prepare for data transmission by the diode>"

],

"host": "",

"port": "",

"secretID": "",

"clusterID": "",

"tlsMode": "",

"proxy": null,

"rps": 0,

"maxConns": 0,

"urlPolicy": "",

"version": "",

"identityColumn": "",

"identitySeed": "",

"pollInterval": 0,

"query": "",

"stateID": "",

"certificateSecretID": "",

"authMode": "",

"secretTemplateKind": "",

"certSecretTemplateKind": ""

},

"topic": "",

"bufferSize": 0,

"flushInterval": 0,

"diskBufferDisabled": false,

"diskBufferSizeLimit": 0,

"healthCheckPath": "",

"healthCheckTimeout": 0,

"healthCheckDisabled": false,

"timeout": 0,

"workers": 0,

"delimiter": "",

"debug": false,

"disabled": false,

"compression": "",

"filter": null,

"path": ""

}

]

}

],

"workers": 0,

"debug": false

},

"secrets": {

"<ID of the secret resource>": {

"pfx": "<encrypted pfx key>",

"pfxPassword": "<password to the encrypted pfx key. The changeit value is exported from KUMA instead of the actual password. In the configuration file, you must manually specify the contents of secrets>"

}

},

"tenantID": "<ID of the tenant>"

}

Page top
[Topic 233138]

Description of secret fields

Secret fields

Field name

Type

Description

user

string

User name.

password

string

Password.

token

string

Token.

urls

array of strings

URL list.

publicKey

string

Public key (used in PKI).

privateKey

string

Private key (used in PKI).

pfx

string containing the base64-encoded pfx file

Base64-encoded PFX file. On Linux, you can get the base64 encoding of a file by using the base64 -w0 src > dst command.

pfxPassword

string

Password of the PFX.

securityLevel

string

Used in snmp3. Possible values: NoAuthNoPriv, AuthNoPriv, AuthPriv.

community

string

Used in snmp1.

authProtocol

string

Used in snmp3. Possible values: MD5, SHA, SHA224, SHA256, SHA384, SHA512.

privacyProtocol

string

Used in snmp3. Possible values: DES, AES.

privacyPassword

string

Used in snmp3.

certificate

string containing the base64-encoded pem file

Base64-encoded pem file. On Linux, you can get the base64 encoding of a file by using the base64 -w0 src > dst command.

Page top
[Topic 233147]

Installing Linux Agent in an isolated network segment

To install a KUMA agent to a Linux device in an isolated network segment:

  1. Place the following files on the Linux server in an isolated network segment that will be used by the agent to receive events and from which the data diode will move files to the external network segment:
    • Agent configuration file.

      You must use an access control list (ACL) to configure access permissions for the configuration file so that only the KUMA user will have file read access.

    • Executive file /opt/kaspersky/kuma/kuma (the "kuma" file can located in the installer in the /kuma-ansible-installer/roles/kuma/files/ folder).
  2. Execute the following command:

    sudo ./kuma agent --cfg <path to the agent configuration file> --wd <path to the directory where the files of the agent being installed will reside. If this flag is not specified, the files will be stored in the directory where the kuma file is located>

The agent service is installed and running on the server in an isolated network segment. It receives events and relays them to the data diode so that they can be sent to an external network segment.

Page top
[Topic 233143]

Installing Windows Agent in an isolated network segment

Prior to installing a KUMA agent to a Windows asset, the server administrator must create a user account with the EventLogReaders and Log on as a service permissions on the Windows asset. This user account must be used to start the agent.

To install a KUMA agent to a Windows device in an isolated network segment:

  1. Place the following files on the Window server in an isolated network segment that will be used by the agent to receive events and from which the data diode will move files to the external network segment:
    • Agent configuration file.

      You must use an access control list (ACL) to configure access permissions for the configuration file so that the file can only be read by the user account that will run the agent.

    • Kuma.exe executable file. This file can be found inside the installer in the /kuma-ansible-installer/roles/kuma/files/ directory.

    It is recommended to use the C:\Users\<user name>\Desktop\KUMA folder.

  2. Start the Command Prompt on the Windows asset with Administrator privileges and locate the folder containing the kuma.exe file.
  3. Execute the following command:

    kuma.exe agent --cfg <path to the agent configuration file> --user <user name that will run the agent, including the domain> --install

    You can get help information by running the kuma.exe help agent command.

  4. Enter the password of the user account used to run the agent.

The C:\Program Files\Kaspersky Lab\KUMA\agent\<Agent ID> folder is created in which the KUMA agent service is installed. The agent moves events to the folder so that they can be processed by the data diode.

When installing the agent, the agent configuration file is moved to the directory C:\Program Files\Kaspersky Lab\KUMA\agent\<agent ID specified in the configuration file>. The kuma.exe file is moved to the C:\Program Files\Kaspersky Lab\KUMA directory.

When installing an agent, its configuration file must not be located in the directory where the agent is installed.

When the agent service is installed, it starts automatically. The service is also configured to restart in case of any failures.

Removing a KUMA agent from Windows assets

To remove a KUMA agent from a Windows asset:

  1. Start the Command Prompt on the Windows machine with Administrator privileges and locate the folder with kuma.exe file.
  2. Run any of the commands below:

The specified KUMA agent is removed from the Windows asset. Windows events are no longer sent to KUMA.

When configuring services, you can check the configuration for errors before installation by running the agent with the command kuma.exe agent --cfg <path to the agent configuration file>.

Page top
[Topic 233215]