.. title:: Server Settings Server Settings =============================== Server settings are settings that are global, as opposed to those that are per user group. They can be found in the Settings tab on the left side of the Administrative Web UI. In most cases, a change to a global setting requires a restart of some or all components. For a single server environment that would mean just restarting the kasm services on the server. For distributed environments you may only need to restart certain components. The tables below indicate which components need restarted for each setting. The following shows how to resart all services or individual services. .. code-block:: bash # restart all services on a server cd /opt/kasm/bin ./stop ./start # restart individual components sudo docker restart kasm_agent sudo docker restart kasm_api sudo docker restart kasm_manager sudo docker restart kasm_db sudo docker restart kasm_proxy Authentication -------------- .. table:: :widths: 100,150,50 +--------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------+ | **Name** | **Description** | **Services Need Restarted** | +--------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------+ | **Anonymous User Expiration** | Anonymous user accounts are deleted from the system after the defined number of hours. Set this value to 0 to disable automatic deletion. | None | +--------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------+ | **Enable Kasm Authorization** | Requires client requests to the Kasm for content such as downloads and uploads to be authenticated with the user's current session token. | None | +--------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------+ | **Enable SAML** | Enables Single Sign on with SAML 2.0 for users. | None | +--------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------+ | **Kasm Authorization Domain** | Override the domain used in the Kasm session cookie. The default value will use the domain name the user request came in on, which will | None | | | fit most use cases. Statically setting the domain name will ensure your Workspaces deployment cannot be proxied under different domain | | | | names. | | +--------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------+ | **Login Assistance** | An optional link to display on the login page that will direct users to another site for login assistance. | None | +--------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------+ | **Max Login Attempts** | The number of invalid login attempts before an account is locked out. This setting only applies to local accounts. | None | +--------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------+ | **Notice Message** | A login banner message to show to users at the login page. | None | +--------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------+ | **Notice Title** | The title of the login banner to show to users at the login page. | None | +--------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------+ | **Same Site Cookie Policy** | Configures the SameSite attribute for the Set-Cookie HTTP response headers. Valid options are Lax, Strict and None. | API | +--------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------+ | **Session Lifetime** | The number of seconds a session token is valid for. | API | +--------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------+ Logging ------- Kasm provides centralized logging out of the box, whether you install Kasm all on a single server in a distributed system with redundant API servers and multiple Kasm agents, all logs are collected and aggregated. Kasm provides basic log aggregation, analyses, and storage. The system also support logging directly to Splunk or :ref:`file-logs` can be ingested by a SIEM solution of choice. .. table:: :widths: 100,150,50 +-----------------------------------------+--------------------------------------------------------------+--------------------------------+ | **Name** | **Description** | **Services Need Restarted** | +-----------------------------------------+--------------------------------------------------------------+--------------------------------+ | **Debug Log Retention** | Number of hours to keep debug logs. Default is 4 hours. | None | | | See the section on log retention for more details. | | +-----------------------------------------+--------------------------------------------------------------+--------------------------------+ | **Splunk HEC Token** | For Splunk logging, this token provides authentication | Manager, API | +-----------------------------------------+--------------------------------------------------------------+--------------------------------+ | **HTTP Method** | The HTTP method to use, POST or PUT are supported. | Manager, API | +-----------------------------------------+--------------------------------------------------------------+--------------------------------+ | **Disable Log Certificate Validation** | If set to true, the remote logging server's certificate is | Manager, API | | | ignored. This is required if using self signed certs. If you | | | | use properly signed certs you do not need to enable this. | | +-----------------------------------------+--------------------------------------------------------------+--------------------------------+ | **Log Host** | The hostname or IP address of the remote logging system. | Manager, API | +-----------------------------------------+--------------------------------------------------------------+--------------------------------+ | **Log Port** | The port number for the remote logging system. Splunk's | Manager, API | | | default is 8088 other systems may use 443. | | +-----------------------------------------+--------------------------------------------------------------+--------------------------------+ | **Log Protocol** | Remote logging protocol. Valid values are https and splunk. | Manager, API | +-----------------------------------------+--------------------------------------------------------------+--------------------------------+ | **Log Retention** | Number of days to keep local logs (excluding debug logs). | None | | | See the section on log retention for more details. | | +-----------------------------------------+--------------------------------------------------------------+--------------------------------+ | **URL Endpoint** | The URI path for the logging system. See the sections below | Manager, API | | | for specific logging solutions like Splunk. | | +-----------------------------------------+--------------------------------------------------------------+--------------------------------+ Native Kasm Logging ^^^^^^^^^^^^^^^^^^^ By default, logs are stored in the Kasm database. Kasm managers and Kasm API servers write their logs directly to the database. Kasm Agent nodes send logs via HTTPs to their respective Kasm Manager. The Kasm Dashboard relies on the native logging to provide visual statistics. Native logging cannot be disabled, if you enable remote logging the native logging will continue. See the log settings table for details on adjustments to default log settings. Splunk Logging ^^^^^^^^^^^^^^ Kasm supports Splunk HEC logging over HTTPS. See Splunk documentation http://dev.splunk.com/view/event-collector/SP-CAAAE7G for details on configuring a HEC input. Note that the URI path for a Cloud Splunk instance and a self hosted Splunk instance are different. The example configuration below is for Splunk Cloud SaaS. A cloud instance will have two domain names, the one you access the UI from and one for inputs. Per the linked documentation, the Splunk Cloud SaaS domain name for data input is the same as the UI but with **input-** at the front. * Log Protocol - splunk * Log Host - input-your_cloud_splunk_hostname * Log Port - 8088 * URL Endpoint - /services/collector/event * HTTP Method - POST * Disable Log Certificate Validation - false * Splunk HEC Token - 12345678-1234-1234-1234-1234567890AB Logging Retention ^^^^^^^^^^^^^^^^^ Logging retention applies only to local logging, it does not affect remote logging. Before adjusting the Log Retention or Debug Log Retention you should evaluate your database system. Ensure the database system has adequate storage and processing power to handle the increased logging. If log retention beyond 30 days is required, it is highly recommended to use a proper external logging solution. The Debug Log Retention setting should not be adjusted unless needed to troubleshoot issues over a longer period of time. A Kasm system can produce over 10,000 debug logs per hour, therefore, the retention of those logs should be considered very carefully. Manager ------- .. table:: :widths: 100,150,50 +-----------------------------+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------+ | **Name** | **Description** | **Services Need Restarted** | +-----------------------------+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------+ | **Agent Version** | This setting is used to restrict which versions of the Kasm Agent are allowed to communicate with the Manager. | Manager | +-----------------------------+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------+ | **Primary Manager Timeout** | The number of seconds until the primary manager is considered unavailable. If other managers are alive one will take over the primary | None | | | role. | | +-----------------------------+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------+ | **Same Zone Reply** | If set to true, a manager will only reply to agent heartbeats with a list of managers in the same zone as itself. Otherwise a list of all | Manager | | | managers is given. This allows Agents to failover to managers in other zones. | | +-----------------------------+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------+ | **Token** | An authentication token used the communication between Kasm Agents and the Manager API server. | Manager | +-----------------------------+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------+ | **Update Check** | This setting will enable/disable the manager checking for Kasm system updates. | None | +-----------------------------+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------+ Images -------------- .. table:: :widths: 100,150,50 +--------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------+ | **Name** | **Description** | **Services Need Restarted** | +--------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------+ | **Add Images To Default Group**| Automatically add images to default group when new images are added. | API | +--------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------+ Web Filter ---------- .. table:: :widths: 100,150,50 +--------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------+ | **Name** | **Description** | **Services Need Restarted** | +--------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------+ | **Web Filter Update URL** | URL used to interface with Kasm's URL category service | API | +--------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------+ Cast ---- Kasm allows the administrator to expose :doc:`Casting URLs` to automatically launch Kasm sessions with or without authentication. The following settings are used for Google reCAPTCHA .. table:: :widths: 100,150,50 +-----------------------------------------+--------------------------------------------------------------+--------------------------------+ | **Name** | **Description** | **Services Need Restarted** | +-----------------------------------------+--------------------------------------------------------------+--------------------------------+ | **Google reCAPTCHA API URL** | The API for Google reCAPTCHA. | None | +-----------------------------------------+--------------------------------------------------------------+--------------------------------+ | **Google reCAPTCHA Private Key** | The Google reCAPTCHA Private Key, | None | +-----------------------------------------+--------------------------------------------------------------+--------------------------------+ | **Google reCAPTCHA Site Key** | The Google reCAPTCHA Site Key. | None | +-----------------------------------------+--------------------------------------------------------------+--------------------------------+ Scale ----- .. table:: :widths: 100,150,50 +-----------------------------------------+-------------------------------------------------------------------+--------------------------------+ | **Name** | **Description** | **Services Need Restarted** | +-----------------------------------------+-------------------------------------------------------------------+--------------------------------+ | **Automatically Enable Agents** | Automatically enable agents if disabled every time they check in. | None | +-----------------------------------------+-------------------------------------------------------------------+--------------------------------+ | **Guardian Interval** | How often to run the guardian. Guardian handles cleanup of | Manager | | | agents and Kasms. As well as provision of autoscale agents. | | +-----------------------------------------+-------------------------------------------------------------------+--------------------------------+ | **Guardian Provision Threads** | Number of threads to use for tear down and provision tasks. | Manager | +-----------------------------------------+-------------------------------------------------------------------+--------------------------------+ | **Host Dead Expiration** | How long to wait after an agent stops checking in before marking | Manager | | | it dead. If it was auto provisioned, it will be cleaned up once | | | | marked dead. | | +-----------------------------------------+-------------------------------------------------------------------+--------------------------------+ | **Host Missing Expiration** | How long to wait after an agent stops checking in before marking | Manager | | | it missing. This value should always be less than the | | | | **Host Dead Expiration** | | +-----------------------------------------+-------------------------------------------------------------------+--------------------------------+ | **Keep Alive Expiration** | How long the session will stay alive when no client is connected. | API | | | This is the global setting, can be overridden at the group level. | | +-----------------------------------------+-------------------------------------------------------------------+--------------------------------+ | **Provision Timeout** | How long to wait for an autoscale VM to finish provisioning. | API, Manager | +-----------------------------------------+-------------------------------------------------------------------+--------------------------------+ Setting Properties ------------------ The following table lists the properties of each setting. .. table:: :widths: 100,150 +----------------------+---------------------------------------------+ | Name | Setting name | +----------------------+---------------------------------------------+ | **Category** | Setting Category | +----------------------+---------------------------------------------+ | **Services Restart** | What services need to be restarted on | | | setting change | +----------------------+---------------------------------------------+ | **Value** | Settings Actual Value | +----------------------+---------------------------------------------+ | **Value Type** | Data Type | +----------------------+---------------------------------------------+ | **Description** | Setting Description | +----------------------+---------------------------------------------+