Kaspersky Industrial CyberSecurity for Networks can save information about actions performed by users in the application. Information is saved in the audit log if user activity audit is enabled.
You can view audit entries when connected to the Server through the web interface. If necessary, you can also configure forwarding of application messages to recipient systems via connectors.
Only users with the Administrator role can view audit entries.
To view audit entries:
Connect to the Kaspersky Industrial CyberSecurity for Networks Server through the web interface using the Administrator account.
Select Settings → Audit.
The table will display the audit entries that match the defined filter and search settings.
The columns of the audit entries table contain the following information:
Date and time – date and time when the user activity data was registered.
Action – registered action performed by the user.
Result – result of the registered action (successful or unsuccessful).
User – name of the user that performed the registered action.
User node – IP address of the node on which the registered action was performed.
Description – additional information about the registered action.
When viewing the audit entries table, you can use the following functions:
Under Settings → Audit, click the Customize table link to open a window for configuring how the table is displayed.
Select the check boxes opposite the settings that you want to view in the table. You must select at least one setting.
If you want to change the order in which columns are displayed, select the name of the column that needs to be moved to the left or right in the table and use the buttons containing an image of the up or down arrows.
The selected columns will be displayed in the audit entries table in the order you specified.
When filtering by a defined period, the table will no longer be updated. The table displays only the entries that were registered during the specified period.
To configure filtering of audit entries based on a specified period:
Under Settings → Audit, do one of the following:
Open the Period drop-down list in the toolbar.
Click the filtering icon in the Date and time column.
In the drop-down list, select Specify a period.
If table updates are enabled, in the opened window confirm that you agree to suspend table updates.
The start and end date and time of the filtering period are displayed on the right of the drop-down list.
Click the date of the start or end of the period.
The calendar opens.
In the calendar, specify the date for the start and end boundaries of the filtering period. To do so, select a date in the calendar (the current time will be indicated) or manually enter the value in the format DD-MM-YYYY hh:mm:ss. If you don't need to specify the date and time of the filtering period end boundary, you can choose not to select a date or you can delete the current value.
Click OK.
The table will display audit entries for the period you specified.
You can filter the audit entries table based on the values in all columns except the Description column.
When filtering by the Date and time column, you can use one of the standard periods or define a specific period.
To filter the audit entries table by the Action column:
Under Settings → Audit, click the filtering icon in the Action column.
The filtering window opens.
In the Actions field, choose the necessary action from the available audit actions. To do so, start entering the name of the action and select it in the drop-down list (the list of appropriate actions is automatically expanded when the value in the Actions field is changed).
You can sort the opened list of actions by clicking the Sort link.
If you want to add another action, click the Add action button and specify another action in the opened field.
If you want to delete one of the specified actions, click the icon in the filter window. You can also delete all indicated actions by clicking the Default filter link in the filter window.
Click OK.
To filter the audit entries table by the Result column:
Under Settings → Audit, click the filtering icon in the Result column.
To filter by the results of actions, you can also use the corresponding buttons in the toolbar.
The filtering window opens.
Select the check boxes opposite the values by which you want to filter events.
Click OK.
To filter the audit entries table by the User or User node column:
Under Settings → Audit, click the filtering icon in the relevant column.
The filtering window opens.
In the Including and Excluding fields, enter the values for audit entries that you want to include in the filter and/or exclude from the filter.
If you want to apply multiple filter conditions combined by the logical operator OR, in the filter window of the column click the Add condition button and enter the condition in the opened field.
If you want to delete one of the created filter conditions, in the filter window of the column click the icon.
You can reset the defined filter and search settings in the audit entries table by using the Default filter button in the toolbar under Settings → Audit. The button is displayed if search or filter settings are defined.
Under Settings → Audit, click the header of the column by which you want to sort.
You can filter the audit entries table based on the values of any column except the Description column.
If you need to sort the table based on multiple columns, press the SHIFT key and hold it down while clicking the headers of the columns by which you want to sort.
The table will be sorted by the selected column. When sorting by multiple columns, the rows of the table are sorted according to the sequence of column selection. Next to the headers of columns used for sorting, you will see icons displaying the current sorting order: in ascending order or descending order of values.