KUMA services

Services are the main components of KUMA that help the system to manage events: services allow you to receive events from event sources and subsequently bring them to a common form that is convenient for finding correlation, as well as for storage and manual analysis. Each service consists of two parts that work together:

• One part of the service is created inside the KUMA web interface based on set of resources for services.
• The second part of the service is installed in the network infrastructure where the KUMA system is deployed as one of its components. The server part of a service can consist of multiple instances: for example, services of the same agent or storage can be installed on multiple devices at once.

  On the server side, KUMA services are located in the /opt/kaspersky/kuma directory.

  When you install KUMA in fault-tolerant mode, only the KUMA Core is installed in the cluster. Collectors, correlators, and storages are hosted on hosts outside of the Kubernetes cluster.

Parts of services are connected to each other via the service ID.

Service types:

• Storages are used to save events.
• Correlators are used to analyze events and search for defined patterns.
• Collectors are used to receive events and convert them to KUMA format.
• Agents are used to receive events on remote devices and forward them to KUMA collectors.

In the KUMA web interface, services are displayed in the Resources → Active services section in table format. The table of services can be updated using the Refresh button and sorted by columns by clicking on the active headers.

Table columns:

• Status—service status:
  • Green means that the service is running.
  • Red means that the service is not running.
  • Yellow means that there is no connection with ClickHouse nodes (this status is applied only to storage services). The reason for this is indicated in the service log if logging was enabled.

    The table can be filtered by this setting.

• Type—type of service: agent, collector, correlator, or storage.
• Name—name of the service. Clicking on the name of the service opens its settings.
• Version—service version.
• Tenant—the name of the tenant that owns the service.
• FQDN—fully qualified domain name of the service server.
• IP address—IP address of the server where the service is installed.
• API port—Remote Procedure Call port number.
• Uptime—the time showing how long the service has been running.
• Created—the date and time when the service was created.

You can use the Add service button to create new services based on existing resource sets for services.

We do not recommend creating services outside the main tenant without first carefully planning the inter-tenant interactions of various services and users.

You can use the buttons in the upper part of the window to do the following:

• Restart service.
• Delete service certificate.
• Copy service ID.
• Delete service.
• View storage partitions.
• View active correlator lists.
• Download service log.

To change a service, select a service under Resources → Active services. This opens a window with a set of resources based on which the service was created. You can edit the settings of the set of resources and save your changes. To apply the saved changes, restart the service.

If, when changing the settings of a collector resource set, you change or delete conversions in a normalizer connected to it, the edits will not be saved, and the normalizer itself may be corrupted. If you need to modify conversions in a normalizer that is already part of a service, the changes must be made directly to the normalizer under Resources → Normalizers in the web interface.

In this section Services tools Service resource sets Creating a storage Creating a correlator Creating a collector Predefined collectors Creating an agent

Page top