Kaspersky CyberTrace

Examples of usage scenarios

27 February 2024

ID 171645

This section contains examples of using Log Scanner in some situations.

Checking several log files

All log files that you pass for scanning must be in UTF-8 encoding. If your log files have different encoding, make sure to convert them to UTF-8.

If you have feeds that are not compiled and a directory containing log files, you can check the log files by performing the following procedure.

To check several log files:

  1. In the Kaspersky CyberTrace Service configuration file kl_feed_service.conf, specify the feeds to be used, normalization rules to process events in the log files, and regular expressions to parse events.
  2. Start Kaspersky CyberTrace Service:

    systemctl start cybertrace.service (in Linux)

    sc start cybertrace (in Windows)

  3. Run the Log Scanner utility and specify the directory that contains log files. For example:

    ./log_scanner -r –p ../logs (in Linux)

    log_scanner.exe -r –p ..\logs (in Windows)

  4. Stop Kaspersky CyberTrace Service by running the following command:

    systemctl stop cybertrace.service (in Linux)

    sc stop cybertrace (in Windows)

After Log Scanner finishes its work, the directory specified by the OutputDir element of the log_scanner.conf configuration file will contain a report about the URLs and hashes detected by Kaspersky CyberTrace Service.

Checking several URLs and hashes

If you have to check several URLs and hashes, perform the following procedure.

To check several URLs and hashes:

  1. Start Kaspersky CyberTrace Service by running the following command:

    systemctl start cybertrace.service (in Linux)

    sc start cybertrace (in Windows)

  2. Run Log Scanner and specify the hashes to be checked. For example:

    ./log_scanner -r -s A72C5B99F2706B00718279C9533A3648 -s 6AA0321FA9D82D652AB53882D7CF9E592B4439B8 (in Linux)

    log_scanner.exe -r -s A72C5B99F2706B00718279C9533A3648 -s 6AA0321FA9D82D652AB53882D7CF9E592B4439B8 (in Windows)

  3. Run Log Scanner and specify the URLs to be checked. For example:

    ./log_scanner -r –u test.mav.example.com?bad_url=1 -u test.phishing.example.com/psh/test?p=1&p=2 (in Linux)

    log_scanner.exe -r –u test.mav.example.com?bad_url=1 -u test.phishing.example.com/psh/test?p=1&p=2 (in Windows)

  4. Stop Kaspersky CyberTrace Service by running the following command:

    systemctl stop cybertrace.service (in Linux)

    sc stop cybertrace (in Windows)

After Log Scanner finishes its work, the directory specified by the OutputDir element of the log_scanner.conf configuration file will contain a report about the URLs detected by Kaspersky CyberTrace Service and a report about the detected hashes.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.