Jump to content

Recommended Posts

Antipova Anna
Posted

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

This article applies to Endpoint Agent for Linux. To collect LENA debug or ANY traces, please follow this guide.

Default traces location is '/var/log/kaspersky/epagent/'.

Default dumps location is '/tmp/agentdumps'

Public collect.sh script was updated to collect LENA-related information and gather these folder as well.

How to: enable LENA ANY traces

For KATA-EDR (on-premises) customers to tune LENA performance by exclusions, ANY level logs are required. To enable ANY logging:

  1. Become root

    sudo su -
  2. Use one-liner to enable ANY tracing level: 

    sed -i 's/LENA_TRACE_LEVEL=none/LENA_TRACE_LEVEL=any/g' /etc/opt/kaspersky/epagent/service.conf && systemctl restart epagent
    1. Modify the config file /etc/opt/kaspersky/epagent/service.conf

      /etc/opt/kaspersky/epagent/service.conf
      KESL_FIFO_PATH=/run/log/kesl-messages
      AUDIT_FIFO_PATH=/run/log/audit-messages
      LENA_TRACE_LEVEL=none <-- set any here instead of none
      LENA_DUMPS=yes
    2. Save the modided value.

      Careful, CaSe sensitive values!

      LENA_TRACE_LEVEL=any  ← correct

      LENA_TRACE_LEVEL=none  ← correct

      LENA_TRACE_LEVEL=ANY ← wrong

      LENA_TRACE_LEVEL=None   ← wrong

    3. To apply changes, restart epagent service

      systemctl restart epagent
  3. Wait until the problematic behavior is reproduced;
  4. Stop traces

    /opt/kaspersky/epagent/sbin/lenactl --traces --off
  5. Double-check that produced traces indeed contain ANY-level information use this command:

    grep -q ANY /var/log/kaspersky/epagent/lena*; if [[ $? == 0 ]]; then echo "ANY logs"; else echo "Not ANY :("; fi
  6. As an addition you can check for how long ANY traces were gathered like 

    grep -h ANY /var/log/kaspersky/epagent/lena* | awk '{print $1}' | cut -d '.' -f 1 | uniq
  7. And as final accord you can check whether you gathered enough ANY traces to be analyzed and sneak-peek what processes are producing excess load

    grep -ha "from auditd" /var/log/kaspersky/epagent/lena* | grep -oE "\"exe\"\:\[\"[^\"]+\"" | sort | uniq -c | sort -nr | sed -e 's/$/\]/' | grep -E "[0-9]{3,}\s+\""
  8. Collect the produced logs and system information in one go using collect.sh script

How to: enable LENA debug traces

Debug traces take less space and are suitable for troubleshooting issues not-related to Performance or 3rd party compatibility.

  1. Enable debug traces:

    /opt/kaspersky/epagent/sbin/lenactl --traces --on

    This method is not suitable for ANY traces and will override ANY traces level set previously by DEBUG value

  2. Wait for a while until the problematic behavior is reproduced;
  3. Disable traces:

    /opt/kaspersky/epagent/sbin/lenactl --traces --off
  4. Collect the produced logs and system information in one go using collect.sh script

How to: enable LENA log rotation

  1. To add log rotation, add to /etc/opt/kaspersky/epagent/service.conf following strings:

    /etc/opt/kaspersky/epagent/service.conf
    LENA_ROTATION_COUNT=10         <--  set max number of log files
    LENA_ROTATION_FILE_SIZE=100m    <--  set the size of each file
  2. To apply changes, restart epagent service

    systemctl restart epagent

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now


×
×
  • Create New...