Viewing events and reports

While the application is running, various events can occur. The events may be informational or may contain important data. For example, the application can use events to notify about a successful application database update, or to inform about an error in the operation of application components that must be eliminated.

Kaspersky Endpoint Security saves information about application events to the following logs:

• The application event log. By default, the application saves information about events to the database at /var/opt/kaspersky/kesl/private/storage/events.db. You can configure the application event log in the command line.
• Operating system log (syslog). The operating system log is not used by default. You can enable saving events to this log.

Access to the application event log and operating system log requires root privileges.

If Kaspersky Endpoint Security is managed by Kaspersky Security Center, information about events may be transmitted to the Kaspersky Security Center Administration Server. Aggregation rules apply to certain events. If a large number of same-type events are created within a short period of time while the application is running, the application will switch to event aggregation mode and send to Kaspersky Security Center one aggregated event with a description of the events settings. Different aggregation rules may be used for different events. For more information about events, refer to the Kaspersky Security Center Help.

You can receive information about application events in the following ways:

• In the Administration Console and in the Web Console
• In the command line
• In application pop-up windows if using the Kaspersky Endpoint Security graphical user interface

Some events may contain file paths. For output, the file path is treated as a UTF-8 string. If any of the bytes in the path does not comply with the UTF-8 encoding rules, is it replaced with the ? character. Any four-byte sequence that encodes a character code outside the Unicode range (greater than 0x10FFFF) is also replaced with the ? character. Special characters are escaped (replaced) in a certain way.

The following rules apply for escaping characters in file paths inside events in the output of kesl-control -E --query:

• '\a', '\b', '\t', '\n', '\v', '\f', '\r' characters are replaced by two characters as follows:

  '\a' -> "\\a"

  '\b' -> "\\b"

  '\t' -> "\\t"

  '\n' -> "\\n"

  '\v' -> "\\v"

  '\f' -> "\\f"

  '\r' -> "\\r"

• All other special characters are output without modification.

The following rules apply for escaping characters in file paths inside events in the output of kesl-control -E --query --json:

• In accordance with the JSON format, the '\b', '\f', '\n', '\r', '\t', '"', '\\' characters are escaped as follows:

  '\b' -> "\\b"

  '\f' -> "\\f"

  '\n' -> "\\n"

  '\r' -> "\\r"

  '\t' -> "\\t"

  '"' -> "\\\""

  '\\' -> "\\\\"

• All other special characters are escaped in accordance with the general JSON rules for escaping special characters ('\a' -> '\u0007').

Rules for escaping characters in file paths in events when sending to syslog:

• In accordance with the JSON format, the '\b', '\f', '\n', '\r', '\t', '"', '\\' characters are escaped as follows:

  '\b' -> "\\b"

  '\f' -> "\\f"

  '\n' -> "\\n"

  '\r' -> "\\r"

  '\t' -> "\\t"

  '"' -> "\\\""

  '\\' -> "\\\\"

• All other special characters are escaped in accordance with the general JSON rules for escaping special characters ('\a' -> '\u0007').

The first backslash in the sequence when describing rules is the escape character.

Examples: '\a' is one character (a control character). '\\a' is two characters (backslash + the a character). '\\' is one character (backslash), '\\\\' is two characters (backslash + backslash).

The application can generate various types of reports on the events that occur while the application is running. Reports contain information about the operation of each Kaspersky Endpoint Security component, the results of each task, and the overall operation of the application.

You can view reports in the following ways:

• Kaspersky Security Center reports are available in the Administration Console and in the Web Console. You can use these to get information about infected files or usage of keys and application databases, among other things. For detailed information on working with Kaspersky Security Center reports, please refer to the Kaspersky Security Center Help.
• Application reports are available in the Kaspersky Endpoint Security graphical user interface.

Events and reports may contain the following personal data:

• User name and user ID of operating system users
• Paths to user files
• IP addresses of remote devices that are scanned by the Anti-Cryptor component
• IP addresses of senders and receivers of network packets scanned by the Firewall Management component
• Web addresses of the update sources
• General application settings values
• Names and settings of command line tasks
• Detected malicious, phishing, adware web addresses, and web addresses containing legitimate applications that intruders can use to compromise devices or data
• Names of the containers and images
• Paths to the containers and images
• Names and IDs of the devices
• Web addresses of the repositories
• File names, paths to files, and hash-sums of executable application files
• Application category names

In this Help section Configuring event logging to the operating system log Configuring application event log settings Viewing events in Kaspersky Security Center Viewing events in the command line

Page top