How to access apt-history logs on CN without the kata-collect-siem-logs tool [KATA/KEDRE]

[Antipova Anna]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

Versions

Applicable to versions above 5: 5.0, 5.1, 6.0, 6.0.1, etc.

You can fancy access log-history logs (former apt-history) directly for convenience purposes or if the kata-collect-siem-logs tool is malfunctioning for some reason.

These logs are in gzip, sorted by dates, as files with names in format: /data/volumes/s3proxy/log-history/YYYY-MM-DD-HH-MM-SS, where YYYY-MM-DD-HH-MM-SS is the datetime.

basename -a /data/volumes/s3proxy/log-history/2024*

2024-01-01-13-55-03 2024-01-17-12-00-14 2024-01-17-12-05-14

 To access these logs, use the respective zless; zgrep; zcat tools. For example:

zcat /data/volumes/s3proxy/log-history/2024-01-17-12-05-14 2024-01-17 12:00:59.924639 info apt-history: New IDS alert: {id: 63, importance: High, hidden: False, rule_id: 51310592, excluded rule: False, src: 18.156.136.240:80, dest: 10.63.100.252:2198, bases_version: 202401170033}

Bonus: you can also use these tools to read rotated logs of kataservices in /var/log/kaspersky/services/:

zgrep "FileNotFoundError" /var/log/kaspersky/services/web_backend/web_backend.log.1