zbx-sadman / KSC

KSC Miner

This is a little Powershell script help to fetch metric's values from Kaspersky Security Center (KSC).

Actual release 0.99

Tested on:

• Production mode: Windows Server 2008 R2 SP1, Powershell 2, Kaspersky Security Center 10 SP2
• Production mode: Windows Server 2019 Standard, Powershell 5.1, Kaspersky Security Center 12.2.0.4376

Supported objects:

• Server - KSC server;
• Host - Managed server / workstation;
• License - License data.

Virtual keys for 'Host' object are:

• Unassigned - Host(s) contained in "Unassigned" group;
• Status.{OK | Critical | Warning | Any } - Host(s) extended status: Any, OK, Critical, Warning;
• RTPState.{Unknown | Stopped | Suspended | Starting | Running | Failure} - Realtime protection on host is Unknown/Stopped/Suspended/etc;
• NotInstalledAVApplication - Anti-virus application is not installed on host;
• NotRunningAVApplication - Anti-virus application is installed on host but not running;
• NotRunningRTP - Anti-virus application is installed but real-time protection on host is not running;
• TooMuchVirusesDetected - Number of viruses detected on host is too much;
• TooOldAVBases - Anti-virus bases on host were updated too long ago;
• FullScanPerformedTooLongAgo - Full scan for viruses performed too long ago;
• AgentIsInactiveTooLong - Network agent is inactive too long;
• AVBasesAgeLess1Hr - Anti-virus bases were updated in last hour;
• AVBasesAgeIs24Hrs - Anti-virus bases were updated between an 1..24 hour ago;
• AVBasesAgeIs1-3Days - Anti-virus bases were updated between an 1..3 days ago;
• AVBasesAgeIs3-7Days - Anti-virus bases were updated between an 3..7 days ago;
• AVBasesAgeMoreThan7Days - Anti-virus bases were updated more than 7 days ago.

Virtual keys for 'License' object are:

• TimeLeftToLicenseExpire - Time left to end of license (in seconds);
• LicenseExpired - "License is expired" flag.

Virtual keys for 'Server' object are:

• Build - Administration Server build number;
• VersionId - ID of Administration Server version;
• SAASBlocked - SAAS mode is turned off due to expired/absent/blacklisted license, boolean.

Actions

• Discovery - Make Zabbix's LLD JSON;
• Get - Get metric from collection item;
• Sum - Sum metrics of collection items;
• Count - Count collection items.

How to use standalone

# Make Zabbix's LLD JSON for Licenses on Kaspersky Security Center Server
powershell.exe -NoProfile -ExecutionPolicy "RemoteSigned" -File "ksc.ps1" -Action "Discovery" -ObjectType "License"

# Get number of Hosts which have Critical State 
... "ksc.ps1" -Action "Count" -ObjectType "Host" -Key "Status.Critical" -consoleCP CP866

# Get expiration date of license with "1C1C-000423-1323DEA0" serial number
... "ksc.ps1" -Action "Get" -ObjectType "License" -Key "KLLIC_LIMIT_DATE" -Id "1C1C-000423-1323DEA0"

How to use with Zabbix

1. Just include zbx_ksc.conf to Zabbix Agent config;
2. Put ksc.ps1 to _C:\zabbix\scripts_ dir;
3. Set Zabbix Agent's / Server's Timeout to more that 3 sec (may be 10 or 30);
4. Import template to Zabbix Server;
5. Watch to Zabbix's Latest Data.

Note Do not try import Zabbix v2.4 template to Zabbix pre v2.4. You need to edit .xml file and make some changes at discovery_rule - filter tags area and change # to <> in trigger expressions. I will try to make template to old Zabbix.

Note It is possible that you will need to provide the script with the credentials of user from the KLAdmins group to connect to the server. Refer to Username / Userpass / UserDomain options.

Note All available options are described in head of the script file.

Hints

• To see keys, run script without -Key option: ... "ksc.ps1" -Action "Get" -Object "ObjectType"
• For debug in standalone mode use -defaultConsoleWidth option to leave console default width while run script and -Verbose to get additional processing information;
• If you get Zabbix's "Should be JSON" - try to increase the number value in CONSOLE_WIDTH constant variable inside ksc.ps1. Powershell use console width to format output JSON-lines and can break its.

Beware frequent requests to PowerShell script eat CPU and increase Load. To avoid it - don't use small update intervals with Zabbix's Data Items and disable unused.