About events

Any Kaspersky Endpoint Security operation generates events. The application administrator can view these events by using the query system.

Kaspersky Endpoint Security notifies users about new events in the following ways:

If Kaspersky Endpoint Security is managed by Kaspersky Security Center, information about events may be transmitted to the Kaspersky Security Center Administration Server. Kaspersky Endpoint Security administrator can configure the email notifications or script execution when an event is received from the application. For more details about managing reports in Kaspersky Security Center, please refer to the Kaspersky Security Center documentation.
If the graphical user interface (GUI) is enabled, information about events may be viewed in the reports and in the application pop-ups.
By using the local query to the Kaspersky Endpoint Security event storage. The application administrator can write the scripts based on the generated events.

To get information about all events in the Storage:

kesl-control -E --query|less

By default, the application stores up to 500 000 events. You can use the less command to navigate through the list of displayed events.

You can use the query system to view specific events. When you create a query, specify the required field, select the comparison operator, and set the required value for it. Value must be specified in the single quotation marks (‘), the whole query must be in the double quotation marks (“):

--query "<field> <comparison operator> '<value>' [and <field> <comparison operator> '<value>' *]"

Event example:

Below is the example take of the ThreatDetected event:

EventType=ThreatDetected

EventId=2671

Initiator=Product

Date=2020-04-30 17:17:17

DangerLevel=Critical

FileName=/root/eicar.com.txt

ObjectName=File

TaskName=File_Monitoring

RuntimeTaskId=2

TaskId=1

DetectName=EICAR-Test-File

TaskType=OAS

FileOwner=root

FileOwnerId=0

DetectCertainty=Sure

DetectType=Virware

DetectSource=Local

ObjectId=1

AccessUser=root

AccessUserId=0

Query examples:

Get all events by the EventType field:

kesl-control -E --query "EventType == 'ThreatDetected'"

Get all events by the EventType and FileName like fields:

kesl-control -E --query "EventType == 'ThreatDetected' and FileName like '%eicar%'"

Get all events produced by the File_Monitoring task after specified point of time:

kesl-control -E --query "TaskName == 'File_Monitoring' and Date > '1588253494'"

Date field should be specified in the UNIX time stamp system (the number of seconds that have elapsed since 00:00:00 (UTC), 1 January 1970).

Page top