Jump to content
Kaspersky Support Forum

How to collect LENA troubleshooting information [Kaspersky Endpoint Agent for Linux]

svc_kms

Entry posted by svc_kms in How-to

6 views

 Share

This article applies to Endpoint Agent for Linux. To collect LENA debug or ANY traces, please follow this guide.

Default traces location is '/var/log/kaspersky/epagent/'.

Default dumps location is '/tmp/agentdumps'

Public collect.sh script was updated to collect LENA-related information and gather these folder as well.

How to: enable LENA ANY traces

For KATA-EDR (on-premises) customers to tune LENA performance by exclusions, ANY level logs are required. To enable ANY logging:

  1. Become root

    sudo su -

  2. Use one-liner to enable ANY tracing level: 

    sed -i 's/LENA_TRACE_LEVEL=none/LENA_TRACE_LEVEL=any/g' /etc/opt/kaspersky/epagent/service.conf && systemctl restart epagent

    1. Modify the config file /etc/opt/kaspersky/epagent/service.conf

      /etc/opt/kaspersky/epagent/service.conf
      KESL_FIFO_PATH=/run/log/kesl-messages
      AUDIT_FIFO_PATH=/run/log/audit-messages
      LENA_TRACE_LEVEL=none <-- set any here instead of none
      LENA_DUMPS=yes

    2. Save the modided value.

      Careful, CaSe sensitive values!

      LENA_TRACE_LEVEL=any  ← correct

      LENA_TRACE_LEVEL=none  ← correct

      LENA_TRACE_LEVEL=ANY ← wrong

      LENA_TRACE_LEVEL=None   ← wrong

    3. To apply changes, restart epagent service

      systemctl restart epagent
  3. Wait until the problematic behavior is reproduced;

  4. Stop traces

    /opt/kaspersky/epagent/sbin/lenactl --traces --off

  5. Double-check that produced traces indeed contain ANY-level information use this command:

    grep -q ANY /var/log/kaspersky/epagent/lena*; if [[ $? == 0 ]]; then echo "ANY logs"; else echo "Not ANY :("; fi

  6. As an addition you can check for how long ANY traces were gathered like 

    grep -h ANY /var/log/kaspersky/epagent/lena* | awk '{print $1}' | cut -d '.' -f 1 | uniq

  7. And as final accord you can check whether you gathered enough ANY traces to be analyzed and sneak-peek what processes are producing excess load

    grep -ha "from auditd" /var/log/kaspersky/epagent/lena* | grep -oE "\"exe\"\:\[\"[^\"]+\"" | sort | uniq -c | sort -nr | sed -e 's/$/\]/' | grep -E "[0-9]{3,}\s+\""
  8. Collect the produced logs and system information in one go using collect.sh script

How to: enable LENA debug traces

Debug traces take less space and are suitable for troubleshooting issues not-related to Performance or 3rd party compatibility.

  1. Enable debug traces:

    /opt/kaspersky/epagent/sbin/lenactl --traces --on

    This method is not suitable for ANY traces and will override ANY traces level set previously by DEBUG value

  2. Wait for a while until the problematic behavior is reproduced;

  3. Disable traces:

    /opt/kaspersky/epagent/sbin/lenactl --traces --off
  4. Collect the produced logs and system information in one go using collect.sh script

How to: enable LENA log rotation

  1. To add log rotation, add to /etc/opt/kaspersky/epagent/service.conf following strings:

    /etc/opt/kaspersky/epagent/service.conf
    LENA_ROTATION_COUNT=10         <--  set max number of log files
    LENA_ROTATION_FILE_SIZE=100m    <--  set the size of each file

  2. To apply changes, restart epagent service

    systemctl restart epagent
 Share

0 Comments

Recommended Comments

There are no comments to display.

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now


×
×
  • Create New...