Operation diagnostics of the Kaspersky Next XDR Expert components

This section describes how to obtain diagnostic information about Kaspersky Next XDR Expert components.

Obtaining diagnostic information about Kaspersky Next XDR Expert components

KDT allows you to obtain diagnostic information about Kaspersky Next XDR Expert components and the Kubernetes cluster, to troubleshoot problems on your own or with the help of Kaspersky Technical Support.

To obtain diagnostic information about the Kaspersky Next XDR Expert components and management web plug-ins,

On the administrator host where the KDT utility is located, run the following command:

./kdt logs get <flags>

Where <flags> are the parameters of the command that allows you to configure the logging result.

You can specify the following logging parameters:

• --app <list_of_components>—Obtain diagnostic information for the listed Kaspersky Next XDR Expert components.
• --auto-dest-dir—Obtain logs and save them to the kdt-default-logs-<current_date_and_time> directory that is automatically created in the current directory. If the logging period is not specified, you obtain diagnostic information for the last hour.

  For example, if you want to obtain logs for the last hour for Administration Server and KUMA, and then save these logs to the automatically created directory, run the following command:

  ./kdt logs get --app ksc,kuma --auto-dest-dir

• -d, --destination <file_path>—Obtain logs and save them to the specified file.
• -D, --destination-dir <directory_path>—Obtain logs and save them to the specified directory that must be created beforehand. If the <directory_path> is empty, logs are saved in the standard output stream (stdout). If the logging period is not specified, you obtain diagnostic information for the last hour.
• --to-archive—Obtain logs and save them to the kdt-default-logs-<current_date_and_time>.tar.gz archive. The created archive is saved to the current directory. If the logging period is not specified, you obtain diagnostic information for the last hour.
• --last=<hours>h—Obtain logs for the specified number of hours up to date.

  For example, if you want to get an archive with logs for the last three hours, run the following command:

  ./kdt logs get --to-archive --last=3h

• --start=<date_and_time>—Obtain logs starting from the specified date and time (in the Unix timestamp format) to the present time, or to the date and time specified in the --end parameter.

  For example, if you want to obtain logs starting from 03/26/2024 10:00:00 to the present time, and then save them to the kdt-default-logs-<current_date_and_time> directory created in the current directory, run the following command:

  ./kdt logs get --auto-dest-dir --start=1711447200

• --end=<date_and_time>—Obtain logs starting from the date and time specified in the --start parameter to the date and time specified in the --end parameter (in the Unix timestamp format). If the --start parameter in not specified, logs are obtained for the last hour before the date and time specified by the --end parameter.

  For example, if you want to save logs for the 10 minutes (from 03/26/2024 10:00:00 to 03/26/2024 10:10:00) to the logs directory, run the following command:

  ./kdt logs get -D ./logs/ start=1711447200 --end=1711447800

To view the available flags, you can run one of the following commands:

• ./kdt logs get -h
• ./kdt logs get --help

Viewing OSMP metrics

OSMP allows you to monitor metrics for further analysis of the operability and performance of its components.

You can view OSMP metrics in one of the following ways:

• By using the monitoring.<smp_domain> URL.

  In this case, you have to view the metrics via Grafana, a tool for data visualization which is installed with Kaspersky Next XDR Expert. The <smp_domain> is a parameter that you set in the configuration file when deploying Kaspersky Next XDR Expert.

• By using your tools.

  In this case, you have to configure your tools to obtain the metrics from the api.<smp_domain>/metrics API address.

  Kaspersky Next XDR Expert provides its metrics in OpenMetrics format.

If you want to view information about the performance of the KUMA Core, storage, collectors, and correlators, you have to view KUMA metrics.

Storing diagnostic information about Kaspersky Next XDR Expert components

Diagnostic information about Kaspersky Next XDR Expert components is stored on a worker node of the Kubernetes cluster. The amount of disk space required for storing this information is specified in the configuration file before the deployment of Kaspersky Next XDR Expert (the loki_size parameter).

To check the disk space used to store diagnostic information about Kaspersky Next XDR Expert components,

On the administrator host where the KDT utility is located, run the following command:

./kdt invoke observability --action getPvSize

The amount of the allocated free disk space in gigabytes is displayed.

You can also increase the disk space used to store diagnostic information about Kaspersky Next XDR Expert components after the deployment of Kaspersky Next XDR Expert. You cannot set the amount of disk space to less than the previously specified amount.

To increase the disk space used to store diagnostic information about Kaspersky Next XDR Expert components,

On the administrator host where the KDT utility is located, run the following command and specify the required free disk space in gigabytes (for example, "50Gi"):

./kdt invoke observability --action setPvSize --param loki_size="<new_disk_space_amount>Gi"

The amount of free disk space allocated to store diagnostic information about Kaspersky Next XDR Expert components is changed.

Obtaining trace files

KDT allows you to obtain trace files for Kaspersky Next XDR Expert and OSMP components, to troubleshoot infrastructure on your own or with the help of Kaspersky Technical Support.

Trace files are downloaded in OpenTelemetry format.

To obtain the trace file for the Kaspersky Next XDR Expert or OSMP component:

1. On the administrator host where the KDT utility is located, run the following command and specify the path to the file where you want to save the list of trace files:

   ./kdt traces find -o <output_file_path>

   The list of trace files with their IDs is output to the specified file.

2. To output a particular trace file run the following command and specify the output file path and the trace file ID:

   ./kdt traces get -o <output_file_path> --traсe-id=<trace_ID>

The specified trace file is saved.

Logging the launches of custom actions

KDT allows you to obtain the history of the custom action launches for a specific Kaspersky Next XDR Expert component, as well as the logs of a particular custom action launch. The obtained logs may help you to investigate problems with the operation of the Kaspersky Next XDR Expert components on your own or with the help of Kaspersky Technical Support.

To obtain the history of the custom action launches for a specific Kaspersky Next XDR Expert component,

On the administrator host where the KDT utility is located, run the following command, and then specify the component name:

./kdt state -H <component_name>

The list of executed custom actions with their IDs is displayed.

To obtain logs of the custom action launch,

On the administrator host where the KDT utility is located, run the following command, and then specify the component name and the ID of the custom action launch:

./kdt state -l <component_name> -m <custom_action_launch_ID>

The logs of the specified custom action launch are displayed.