File type

The file type is used to retrieve data from any text file. One string in a file is considered to be one event. Strings delimiter: \n. This type of connector is available for Linux Agents.

To set up file transfers from a Windows server for processing by the KUMA collector:

1. On the Windows server, grant read access over the network to the folder with the files that you want processed.
2. On the Linux server, mount the shared folder on the Windows server (see the list of supported operating systems).
3. On the Linux server, install the collector that you want to process files from the mounted shared folder.

When creating this type of connector, you need to define values for the following settings:

• Basic settings tab:
  • Name (required)—a unique name for this type of resource. Must contain 1 to 128 Unicode characters.
  • Tenant (required)—name of the tenant that owns the resource.
  • Type (required)—connector type, file.
  • URL (required)—full path to the file that you need to interact with. For example, /var/log/*som?[1-9].log.

    File and folder mask templates

    Masks:

    • '*'—matches any sequence of characters.
    • '[' [ '^' ] { range of characters } ']'—class of characters (should not be left blank).
    • '?'—matches any single character.

    Ranges of characters:

    • [0-9]—digits;
    • [a-zA-Z]—Latin alphabet characters.

    Examples:

    • /var/log/*som?[1-9].log
    • /mnt/dns_logs/*/dns.log
    • /mnt/proxy/access*.log

    Limitations when using prefixes in file paths

    Prefixes that cannot be used when specifying paths to files:

    • /*
    • /bin
    • /boot
    • /dev
    • /etc
    • /home
    • /lib
    • /lib64
    • /proc
    • /root
    • /run
    • /sys
    • /tmp
    • /usr/*
    • /usr/bin/
    • /usr/local/*
    • /usr/local/sbin/
    • /usr/local/bin/
    • /usr/sbin/
    • /usr/lib/
    • /usr/lib64/
    • /var/*
    • /var/lib/
    • /var/run/
    • /opt/kaspersky/kuma/

    Files are available at the following paths:

    • /opt/kaspersky/kuma/clickhouse/logs/
    • /opt/kaspersky/kuma/mongodb/log/
    • /opt/kaspersky/kuma/victoria-metrics/log/

    Limiting the number of files for watching by mask

    The number of files simultaneously watched by mask can be limited by the max_user_watches setting of the Core. To view the value of a setting, run the following command:

    cat /proc/sys/fs/inotify/max_user_watches

    If the number of files for watching exceeds the value of the max_user_watches setting, the collector cannot read any more events from the files and the following error is written to the collector log:

    Failed to add files for watching {"error": "no space left on device"}

    To make sure that the collector continues to work correctly, you can configure the appropriate rotation of files so that the number of files does not exceed the value of the max_user_watches setting, or increase the max_user_watches value.

    To increase the value of the setting:

    sysctl fs.inotify.max_user_watches=<number of files>

    sysctl -p

    You can also add the value of the max_user_watches setting to sysctl.conf so make sure it is kept indefinitely.

    After you increase the value of the max_user_watches setting, the collector resumes correct operation.

  • Description—resource description: up to 4,000 Unicode characters.
• Advanced settings tab:
  • Character encoding setting specifies character encoding. The default value is UTF-8.
  • Debug—a drop-down list where you can specify whether resource logging should be enabled. By default it is Disabled.