You can set your own Log Inspection rule triggering criteria. To do so, you must enter an event ID and select an event source. You can look up the event ID on the Microsoft technical support website. You can select an event source from among the standard logs: Application, Security or System. You can also specify the log of a third-party application. You can find out the name of the third-party application log using the Event Viewer tool. Third-party application logs are kept in the Application and Services Logs folder (for example, the Windows PowerShell log).
The application does not check if the specified log is actually present in the Windows event log. If there is a mistake in the name of the log, the application does not monitor events from that log.
The list of custom rules already includes three rules created by Kaspersky experts.
Open the Kaspersky Security Center Administration Console.
In the Managed devices folder in the Administration Console tree, open the folder with the name of the administration group to which the relevant client computers belong.
In the workspace, select the Policies tab.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Security Controls → Log Inspection.
Make sure the Log Inspection check box is selected.
In the Custom rules block, click the Settings button.
In the window that opens, select the check boxes next to the custom rules that you want to enable.
If necessary, click Add to create your own custom rules.
This opens a window; in that window, configure the custom rule:
Rule name.
Log name. Windows Event Logs. The following logs are available: Application, Security, System.
Source. Third-party application logs. You can find out the name of the third-party application log using the Event Viewer tool. Third-party application logs are kept in the Application and Services Logs folder (for example, the Windows PowerShell log).
In the main window of the Web Console, select Devices → Policies & Profiles.
Click the name of the Kaspersky Endpoint Security policy.
The policy properties window opens.
Select the Application settings tab.
Go to Security Controls → Log Inspection.
Make sure the Log Inspection toggle switch is turned on.
In the Custom rules block, select custom rules that you want to enable.
If necessary, click Add to create your own custom rules.
This opens a window; in that window, configure the custom rule:
Rule name.
Windows Event Log name. Windows Event Logs. The following logs are available: Application, Security, System.
Source. Third-party application logs. You can find out the name of the third-party application log using the Event Viewer tool. Third-party application logs are kept in the Application and Services Logs folder (for example, the Windows PowerShell log).
Windows Event Log identifier. Event IDs in the Windows Event Log. You can look up the event ID in the Microsoft technical documentation.
In the application settings window, select Security Controls → Log Inspection.
Make sure the Log Inspection toggle switch is turned on.
In the Custom rules block, click the Configure button.
In the window that opens, select the check boxes next to the custom rules that you want to enable.
If necessary, click Add to create your own custom rules.
This opens a window; in that window, configure the custom rule:
Rule name.
Log name. Windows Event Logs. The following logs are available: Application, Security, System.
Source. Third-party application logs. You can find out the name of the third-party application log using the Event Viewer tool. Third-party application logs are kept in the Application and Services Logs folder (for example, the Windows PowerShell log).