Operation diagnostics of the Kaspersky Next XDR Expert components

This section describes how to obtain diagnostic information about Kaspersky Next XDR Expert components.

Obtaining log files of Kaspersky Next XDR Expert components

KDT allows you to obtain log files that contain diagnostic information about Kaspersky Next XDR Expert components and the Kubernetes cluster, to troubleshoot problems on your own or with the help of Kaspersky Technical Support.

Kaspersky Next XDR Expert generates the log file names according to the following template: pod_name.container_name.log. Here, pod_name is a Kubernetes pod name, and container_name is a Kubernetes container name.

To obtain log files of Kaspersky Next XDR Expert components and management web plug-ins,

On the administrator host where the KDT utility is located, run the following command:

./kdt logs get <flags>

Where <flags> are the parameters of the command that allow you to configure the logging result.

You can specify the following logging parameters:

• --app <list_of_components>—Obtain logs for the listed Kaspersky Next XDR Expert components.
• --auto-dest-dir—Obtain logs and save them to the kdt-default-logs-<current_date_and_time> directory that is automatically created in the current directory. If the logging period is not specified, you obtain diagnostic information for the last hour.

  For example, if you want to obtain logs for the last hour for Administration Server and KUMA, and then save these logs to the automatically created directory, run the following command:

  ./kdt logs get --app ksc,kuma --auto-dest-dir

• -d, --destination <file_path>—Obtain logs and save them to the specified file.
• -D, --destination-dir <directory_path>—Obtain logs and save them to the specified directory that must be created beforehand. If the <directory_path> is empty, logs are saved in the standard output stream (stdout). If the logging period is not specified, you obtain diagnostic information for the last hour.
• --to-archive—Obtain logs and save them to the kdt-default-logs-<current_date_and_time>.tar.gz archive. The created archive is saved to the current directory. If the logging period is not specified, you obtain diagnostic information for the last hour.
• --last=<hours>h—Obtain logs for the specified number of hours up to date.

  For example, if you want to get an archive with logs for the last three hours, run the following command:

  ./kdt logs get --to-archive --last=3h

• --start=<date_and_time>—Obtain logs starting from the specified date and time (in the Unix timestamp format) to the present time, or to the date and time specified in the --end parameter.

  For example, if you want to obtain logs starting from 03/26/2024 10:00:00 to the present time, and then save them to the kdt-default-logs-<current_date_and_time> directory created in the current directory, run the following command:

  ./kdt logs get --auto-dest-dir --start=1711447200

• --end=<date_and_time>—Obtain logs starting from the date and time specified in the --start parameter to the date and time specified in the --end parameter (in the Unix timestamp format). If the --start parameter in not specified, logs are obtained for the last hour before the date and time specified by the --end parameter.

  For example, if you want to save logs for the 10 minutes (from 03/26/2024 10:00:00 to 03/26/2024 10:10:00) to the logs directory, run the following command:

  ./kdt logs get -D ./logs/ start=1711447200 --end=1711447800

To view the available logging parameters, you can run one of the following commands:

• ./kdt logs get -h
• ./kdt logs get --help

Viewing OSMP metrics

OSMP allows you to monitor metrics for further analysis of the operability and performance of its components.

You can view OSMP metrics in one of the following ways:

• By using the <monitoring_host>.<smp_domain> URL

  In this case, you have to view the metrics by using Grafana, a tool for data visualization that is installed with Kaspersky Next XDR Expert. To access metrics through Grafana, you must specify the Grafana credentials in the configuration file (the grafana_admin_user and grafana_admin_password parameters).

• By using your tools

  In this case, you have to configure your tools to obtain the metrics from the <api_host>.<smp_domain>/metrics API address.

The <api_host> and <monitoring_host> are host names, and <smp_domain> is a domain name. These parameters constitute the FQDNs of Kaspersky Next XDR Expert services and are set in the configuration file when deploying Kaspersky Next XDR Expert.

Kaspersky Next XDR Expert provides its metrics in the OpenMetrics format.

If you want to view information about the performance of the KUMA Core, storage, collectors, and correlators, you have to view KUMA metrics.

Monitoring the state of Kaspersky Next XDR Expert components

The dashboard provides a graphical display of the state of each Kaspersky Next XDR Expert component.

For example, you can view the following component parameters:

• Usage of requests and limits of CPU
• Usage of requests of CPU and RAM
• Usage of CPU and RAM by containers
• Allocation of the component resources by containers
• Network performance indicators: bandwidth, packet loss, network errors, number of received and received packets

To view diagnostic information on the dashboard:

1. Go to the <monitoring_host>.<smp_domain> URL.

   The <monitoring_host> is a host name, and <smp_domain> is a domain name. These parameters constitute the FQDN of the Kaspersky Next XDR Expert monitoring service and are set in the configuration file when deploying Kaspersky Next XDR Expert.

2. Enter the Grafana credentials that you specified in the configuration file (the grafana_admin_user and grafana_admin_password parameters).
3. In the menu, go to Kubernetes → Views → Pods.
4. In the namespace drop-down list, select the component for which you want to view the diagnostic information.
5. You can also specify other parameters to customize the dashboard view.

The dashboard with diagnostic information about the selected Kaspersky Next XDR Expert component is displayed.

Storing diagnostic information about Kaspersky Next XDR Expert components

Diagnostic information about Kaspersky Next XDR Expert components is stored on a worker node of the Kubernetes cluster. The amount of disk space required for storing this information is specified in the configuration file before the deployment of Kaspersky Next XDR Expert (the loki_size parameter).

To check the disk space used to store diagnostic information about Kaspersky Next XDR Expert components,

On the administrator host where the KDT utility is located, run the following command:

./kdt invoke observability --action getPvSize

The amount of the allocated free disk space in gigabytes is displayed.

You can also increase the disk space used to store diagnostic information about Kaspersky Next XDR Expert components after the deployment of Kaspersky Next XDR Expert. You cannot set the amount of disk space to less than the previously specified amount.

To increase the disk space used to store diagnostic information about Kaspersky Next XDR Expert components,

On the administrator host where the KDT utility is located, run the following command and specify the required free disk space in gigabytes (for example, "50Gi"):

./kdt invoke observability --action setPvSize --param loki_size="<new_disk_space_amount>Gi"

The amount of free disk space allocated to store diagnostic information about Kaspersky Next XDR Expert components is changed.

Obtaining trace files

KDT allows you to obtain trace files for Kaspersky Next XDR Expert and OSMP components, to troubleshoot infrastructure on your own or with the help of Kaspersky Technical Support.

Trace files are downloaded in OpenTelemetry format.

To obtain the trace file for the Kaspersky Next XDR Expert or OSMP component:

1. On the administrator host where the KDT utility is located, run the following command and specify the path to the file where you want to save the list of trace files:

   ./kdt traces find -o <output_file_path>

   The list of trace files with their IDs is output to the specified file.

2. To output a particular trace file run the following command and specify the output file path and the trace file ID:

   ./kdt traces get -o <output_file_path> --traсe-id=<trace_ID>

The specified trace file is saved.

Logging the launches of custom actions

KDT allows you to obtain the history of the custom action launches for a specific Kaspersky Next XDR Expert component, as well as the logs of a particular custom action launch. The obtained logs may help you to investigate problems with the operation of the Kaspersky Next XDR Expert components on your own or with the help of Kaspersky Technical Support.

To obtain the history of the custom action launches for a specific Kaspersky Next XDR Expert component,

On the administrator host where the KDT utility is located, run the following command, and then specify the component name:

./kdt state -H <component_name>

The list of executed custom actions with their IDs is displayed.

To obtain logs of the custom action launch,

On the administrator host where the KDT utility is located, run the following command, and then specify the component name and the ID of the custom action launch:

./kdt state -l <component_name> -m <custom_action_launch_ID>

The logs of the specified custom action launch are displayed.