Adding Log Inspection rules via the Administration Plug-in

Perform the following actions to add and configure a new custom Log Inspection rule:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.
2. Select the administration group for which you want to configure application settings.
3. Perform one of the following actions in the details pane of the selected administration group:
   • To configure application settings for a group of protected devices, select the Policies tab and open the Properties: <Policy name> window.
   • To configure the settings of a task or application for an individual protected device, select the Devices tab and go to local task settings or application settings.
4. In the System inspection section, click the Log Inspection button in the Settings subsection.

   The Log Inspection window opens.

5. On the Custom rules tab, select or clear the Apply custom rules for log inspection check box.
   

   If the check box is selected, Kaspersky Embedded Systems Security for Windows applies custom Log Inspection rules according to the rule settings. You can add, remove or configure Log Inspection rules.

   If the check box is cleared, you cannot add or modify the custom rules. Kaspersky Embedded Systems Security for Windows applies the default rule settings.

   By default, the check box is cleared. Only the application popup detection rule is active.

   You can control whether the preset rules are applied for Log Inspection. Select the check boxes corresponding to the rules you want to apply to Log Inspection.

6. To add a new custom rule, click the Add button.

   The Custom log inspection rule window opens.

7. In the General section specify the following information about the new rule:
   • Rule name
   • Inform about new entries in the Windows Event Log with the specified identifiers
     

     Select a log to use as the source of events for analysis. The following Windows event log logs are available: Application, Security, System.

     You can add a new custom log by entering the log name in the Inform about new entries in the Windows Event Log with the specified identifiers field.

8. In the Triggering criteria section, specify the event IDs that will trigger the rule:
   1. Enter an ID.
   2. Click the Add button.

      The entered event ID is added to the list. You can add an unlimited number of identifiers to each rule.

9. Click the OK button.

   The Log Inspection rule is added to the list of rules.

Page top