After the kl_feed_for_splunk.py utility finishes processing, the following messages are logged:
Kaspersky_Threat_Feed_App_for_Splunk_Cloud status='All Kaspersky Data Feeds were transformed successfully' %feed_1%='%number_of_downloaded_indicators%|%feed_1_version%' ... %feed_N%='%number_of_downloaded_indicators%|%feed_N_version%'This message is logged if the utility operation succeeds.
Kaspersky_Threat_Feed_App_for_Splunk_Cloud status='Error while downloading Kaspersky Threat Data Feeds: pem certificate is invalid'This message is logged if the PEM certificate that is used for downloading feeds is invalid.
Kaspersky_Threat_Feed_App_for_Splunk_Cloud status='Error while downloading Kaspersky Data Feeds: configuration file is invalid'This message is logged if the kl_feed_for_splunk.conf configuration file is invalid.
Kaspersky_Threat_Feed_App_for_Splunk_Cloud status='Error while downloading Kaspersky Data Feeds: %error_description%'This message is logged if an error occurred while downloading or processing feeds.
The app logs are stored in source="/opt/splunk/var/log/splunk/kaspersky/kl_feed_for_splunk.log".
To view or export the logs, specify source="/opt/splunk/var/log/splunk/kaspersky/kl_feed_for_splunk.log" in the search field on the Search tab.
The log file size is limited to 100 MB to avoid overflow in user disk space.
The kl_feed_for_splunk.py utility logs are written to index "internal". The index size is limited by the settings of the Splunk Cloud instance.