How to collect telemetry dump for load profile analysis [KATA/KEDRE]

[Antipova Anna]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

Sometimes EDR agents generate more telemetry than anticipated. There's an option to tune telemetry collection via KEA bases, and in order to do it, telemetry profile, aka "topic-dump", is needed in ready-to-use format.

In order to collect telemetry, do the following:

1. Please do not run apt-sedr-reset before collecting topic dumps.

2. Execute the following command and wait till it finishes (it may take significant time to finish, depending on the telemetry flow):
   KATA 3.7:

   docker exec -it $(sudo docker ps | grep kafka1 | awk '{printf $1}') kafka-console-consumer.sh --bootstrap-server 127.0.0.1:9092 --from-beginning --property print.key=true --property key.separator="~" --max-messages 2000000 --timeout-ms 200000 --topic EndpointEnrichedEventsTopic | head -n -1 | gzip > /tmp/topic-dump.gz

   KATA 4.0/4.1/5.0/5.1:

   docker exec -it $(sudo docker ps | grep kafka\: | awk '{printf $1}') kafka-console-consumer.sh --bootstrap-server 127.0.0.1:9092 --from-beginning --property print.key=true --property key.separator="~" --max-messages 2000000 --timeout-ms 200000 --topic EndpointEnrichedEventsTopic | head -n -1 | gzip > /tmp/topic-dump.gz

3. Collect and provide to Kaspersky Support /tmp/topic-dump.gz