How to analyze KATA collect script output [KATA/KEDRE]

[Antipova Anna]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

Collect script output is a must for most KATA-related issues and questions.

Which information?	Which file?	How to find/interpret?	Example
КАТА version and role: CN/PCN/SCN/Sensor	/config/apt-va	File contains the version and role in human-readable form. Also, you can see if the node was upgraded from previous KATA versions in 'migrate' line	Primary CN  [product] name=kata-cn title=Kaspersky Anti Targeted Attack Platform version=3.5.0-1269 release=release master = yes sensor = yes timestamp = 1568700994 migrate = cn_role = pcn Standalone CN  [product]   name=kata-cn   title=Kaspersky Anti Targeted Attack Platform   version=3.6.1-713   release=release   master = yes   sensor = yes   timestamp =1572445307.01   migrate =   cn_role = cn Sensor node  [product]   name=kata-cn   title=Kaspersky Anti Targeted Attack Platform   version=3.6.1-713   release=release   master = no   sensor = yes   timestamp =1583845362.98   migrate =   cn_role =
Virtual or hardware?	/environment/dmesg.txt OR /var/log/messages OR /var/log/boot.log	Search for "DMI" entries in the file.	Physical server  [ 0.000000] DMI: HPE ProLiant DL560 Gen10/ProLiant DL560 Gen10, BIOS U34 06/20/2018 Virtual server  [ 0.000000] DMI: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016
CPU	/environment/cpuinfo.txt	Scroll to the bottom of the file. Each "processor" listed is not a physical core, but virtual "thread", so, i.e. 8-physical core CPU with hyper-threading will have 16 CPUs in the file. Keep in mind that CPUs are counted from 0, so for 16-thread CPU last entry will have number 15.	processor : 15   vendor_id : GenuineIntel   cpu family : 6   model : 79   model name : Intel(R) Xeon(R) Platinum 8158 CPU @ 3.00GHz   stepping : 0   microcode : 0x2000050   cpu MHz : 2992.968   cache size : 25344 KB   physical id : 0   siblings : 16   core id : 15   cpu cores : 16   apicid : 15   initial apicid : 15   fpu : yes   fpu_exception : yes   cpuid level : 13   wp : yes   flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts mmx fxsr sse sse2 ss ht syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts nopl xtopology tsc_reliable nonstop_tsc eagerfpu pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch ibrs ibpb stibp fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 invpcid rtm rdseed adx smap xsaveopt arat spec_ctrl intel_stibp arch_capabilities   bogomips : 5985.93   clflush size : 64   cache_alignment : 64   address sizes : 43 bits physical, 48 bits virtual   power management:
RAM	/environment/memory.txt	File shows free command output. Values are in megabytes, pay attention to 'total' and 'available' columns. NB! Ignore 'free' column: despite of it's name, it doesn't actually show free RAM, 'available' column does it.	total used free shared buff/cache available   Mem: 197308 63869 3634 6738 129804 125558   Swap: 0 0 0
HDD	/environment/hdd.txt	Pay attention to partitions /dev/sda* and /dev/sdb*. If /dev/sdb* partition is present, you are dealing with two-disk installation, otherwise, it's one-disk installation. NB! Always check HDD partitions size and available free space! KATA needs a LOT of disk space to work correctly. Most important partitions are: /dev/sda4 1.2T 894G 224G 80% /data ← Used for processing queues and quarantine, main partition for KATA /dev/sdb1 2.7T 1.4T 1.3T 52% /data/var/lib/kaspersky/storage ← Used for EDR data: (telemetry from Endpoint Sensors)	Filesystem      Size  Used Avail Use% Mounted on /dev/sda3       367G   14G  335G   4% / devtmpfs        126G     0  126G   0% /dev tmpfs           126G  252K  126G   1% /dev/shm tmpfs           126G  4.1G  122G   4% /run tmpfs           126G     0  126G   0% /sys/fs/cgroup /dev/sda2       232M   32M  189M  15% /boot /dev/sda1       237M  5.5M  232M   3% /boot/efi /dev/sda4       1.5T  435G  955G  32% /data /dev/sdb1       2.7T  1.4T  1.3T  52% /data/var/lib/kaspersky/storage tmpfs            26G     0   26G   0% /run/user/998 tmpfs            26G     0   26G   0% /run/user/1002 tmpfs            26G     0   26G   0% /run/user/1001
DNS name	/environment/hostname.txt	File contains exactly the hostname of the machine.	kata-cn
IP address	/environment/ipa.txt /environment/ifconfig.txt	Both files contain info about network interfaces and assigned IP addresses. ifconfig command is considered obsolete by community, but it can be useful: it helps to recognize SPAN interfaces. SPAN interfaces usually don't have IP address assigned, but have a lot of traffic. Also, SPAN interfaces always are in promiscuous mode: <UP,BROADCAST,RUNNING,PROMISC,MULTICAST>	ipa.txt  1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000   link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00   inet 127.0.0.1/8 scope host lo   valid_lft forever preferred_lft forever   inet6 ::1/128 scope host   valid_lft forever preferred_lft forever   2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000   link/ether 00:50:56:9f:0e:77 brd ff:ff:ff:ff:ff:ff   inet 10.200.178.85/23 brd 10.200.179.255 scope global ens192   valid_lft forever preferred_lft forever   inet6 fe80::250:56ff:fe9f:e77/64 scope link   valid_lft forever preferred_lft forever   3: ens224: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000   link/ether 00:50:56:9f:db:4d brd ff:ff:ff:ff:ff:ff   inet6 fe80::250:56ff:fe9f:db4d/64 scope link   valid_lft forever preferred_lft forever     ifconfig.txt  ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.200.178.85 netmask 255.255.254.0 broadcast 10.200.179.255 inet6 fe80::250:56ff:fe9f:e77 prefixlen 64 scopeid 0x20<link> ether 00:50:56:9f:0e:77 txqueuelen 1000 (Ethernet) RX packets 604911116 bytes 747444631331 (696.1 GiB) RX errors 0 dropped 26 overruns 0 frame 0 TX packets 368814032 bytes 353073760300 (328.8 GiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0   ens224: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet6 fe80::250:56ff:fe9f:db4d prefixlen 64 scopeid 0x20<link> ether 00:50:56:9f:db:4d txqueuelen 1000 (Ethernet) RX packets 437 bytes 135823 (132.6 KiB) RX errors 0 dropped 1125 overruns 0 frame 0 TX packets 8 bytes 656 (656.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0   lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 19418334689 bytes 12053991732736 (10.9 TiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 19418334689 bytes 12053991732736 (10.9 TiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 SPAN interface  eno2: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500   inet6 fe80::42f2:e9ff:fecc:4343 prefixlen 64 scopeid 0x20<link>   ether 40:f2:e9:cc:43:43 txqueuelen 1000 (Ethernet)   RX packets 122540697216 bytes 104768065608116 (95.2 TiB)   RX errors 0 dropped 0 overruns 0 frame 0   TX packets 7 bytes 586 (586.0 B)   TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0   device memory 0xbd5a0000-bd5bffff
Sandbox server information	/config/apt-agents-id	Bottom part of the file contains info about connected sandbox nodes: IP addresses, cert fingerprints and states: Sandbox may be connected, but disabled.	[sandbox_node.sandbox1]   host = 172.16.0.151   enable = yes   fingerprint = C0:15:18:C8:11:46:11:BC:23:50:16:95:10:2D:FF:FA:4E:06:21:90:20:AA:CC:36:53:27:B8:BF:CF:5A:1A:9C
Enabled integrations(SPAN, ICAP, etc)	/config/preprocessor.conf	Preprocessor is the component responsible for main KATA integrations: SPAN, SMTP, ICAP, POP3. You should look for corresponding section in preprocessor.conf: SPAN: [traffic] SMTP: [smtp_proxy] ICAP: [icap] POP3: [pop3] For each section, there's a line defining whether this integration is enabled: enable=yes/no Other integrations like KSMG/KLMS/API aren't easy to check by collect script output	Only SPAN is enabled  [app] use_syslog=no trace_level=ERR cache_socket=localhost:6379 collector_url=http://centralnode:8081/apt/collector license_remote=no   #this section applicable for sections: pop3, smtp_proxy and for traffic section but only for smtp preprocessor [mail] extract_urls=yes #file extensions of attachments which format recognizer is not used for file_extensions=dll,exe,com,java,js,jse,wsf,wsh,vbs,vbe,msi,deb,rpm,apk,zip,7z,rar,iso,cab,jar,bz2,gz,tgz,ace,arj,dmg,xsr,rtf,pdf,msg,eml,vsd,vdx,xps,xsn,odt,ods,odp,sxw,doc,dot,docx,docb,dotx,docm,dotm,xls,xlt,xlm,xla,xll,xlw,xlsx,xltx,xlsm,xltm,xlam,xlsb,ppt,pot,pps,ppam,sldx,sldm,thmx,pptx,potx,pptm,potm,ppsx,ppsm,pub,html,htm,hta,swf,jpg,jpeg,gif,png,tiff,chm,mht,cpl,ocx,pif,scr,bat,cmd,ps1,lnk,reg,msu,msp,z   [traffic] enable=yes network_interfaces=ens6f0,ens6f1,ens5f1,ens5f0,ens5f3,ens5f2,eno1,ens3f1,ens3f0 pcap_snaplen=1600 pcap_cores= pcap_filter= checksum_validation=no buffer_size_limit=4096 tcp_threads_number=16 enable_dns=yes enable_http=yes enable_ftp=yes enable_ssl=yes enable_smtp=yes ftp_data_expired_timeout_in_seconds=60 ftp_data_supposed_max_size_in_bytes=10485760   [ksn] enable=yes #possible values of type are KSN or KPSN type=KSN timeout=500 non_dl_formats=GeneralHtml,GeneralTxt,ExecutableJs,ImageGif,ImageJpeg,ImagePng,ArchiveCab ksn_adapter_interfaces= # Change cache entries only you know what are doing. # 0 - disables cache cache_entries=3600100 request_threads=4   [snmp] enable=yes master_agent_address=tcp:localhost:705 ping_interval_in_seconds=15   [icap] enable=no listen_interfaces=ens3f3:1344,ens3f2:1344,eno2:1344 allow204=yes max_connections=5000 respmod_url=av/respmod header_client_ip=X-Client-IP header_client_port=X-Client-Port extract_user=no header_username=X-Authenticated-User base64_decode_username=yes   [filter] file_size_limit=100000000 dns_lookup_enable=yes dns_timeout=500 html_filter=/var/opt/kaspersky/apt/update/bases/htmlre.txt   [snort] enable=yes alerts_socket=/var/log/kaspersky/snort/snort_alert   [pop3] enable=no server= port= user= password= cipher_list=ALL:!aNULL:!eNULL:!LOW:!EXP:!MD5:!DSS:!KRB5:!PSK:!RC4:!SRP:!CAMELLIA:!IDEA:!SEED:!3DES:@STRENGTH:!kDH:!kECDH encrypted=yes check_interval_in_seconds=2 accept_any_certificates=no accept_untrusted_self_signed_certificate=yes process_msgs_per_session=3000 request_timeout_in_seconds=60   [smtp_proxy] enable=no max_threads=20 socket_in=inet:10025@127.0.0.1 #RFC 1123 suggests 10 min timeout_in_seconds=600   [stat_engine] enable=yes db=kafka:centralnode:9092?topic=network oltp_bulk_size=1000 subnets= taa_skip_header_proxy_auth=status-code: 407 oltp_raw_data_limit=0   [proxy] enable=no bypass_local_addresses=yes host= port= user= password=
Connected Endpoint Sensors	/config/aapt_info	You can find the beginning of Endpoint Sensors list by searching for 'Agent Status'. To find the number of connected sensors, you need to calculate lines; but it's not easy to automate it as the lines don't have obvious unique grep-able attribute. However, using 'Microsoft Windows' will give you enough precision(it will give a few extra matches from last detections info).	Sample entry for 1 agent  ae5290b1-c490-404b-beec-ee553d5d64ee | DXB00079395.*.corp    | 2019-09-24 08:41:51.579011 | 10.56.14.170   | 3.5.435.0     | 2019-09-23 03:21:26.883616 | 2019-09-24 03:15:28.642816 | t            | Microsoft Windows 10   |                            |                                                                                                                                                                                                                                                                                                                 | 2346c7a2-a395-4dc4-bc5c-ea99fa488386 |                6 | 568b01b8-4497-decf-7f8c-671bbf8ad8cc
KSN/KPSN connection	/config/preprocessor.conf	From collect script, you can only determine whether KATA is set up to receive verdicts from the cloud, and understand which sort of cloud it is - global KSN or private KPSN. Look for [ksn] section in preprocessor.conf, it's pretty self-explanatory. Keep in mind that you have a tool which allows you to	[ksn] enable=yes #possible values of type are KSN or KPSN type=KSN