Kaspersky Security events in Kaspersky Security Center

This section contains accumulated information on application events that are written to the event log of the Kaspersky Security Center Administration Server.

Kaspersky Security Center also lets you export Kaspersky Security events to SIEM systems via the Syslog protocol.

For more detailed information about working with application events and policies using the Kaspersky Security Center Administration Server, please refer to the Kaspersky Security Center Administrator's Guide.

Kaspersky Security events related to triggers in the Kaspersky Security Center Event Log

Event

Event importance level

Description

Limited scan mode enabled

Critical event

Such an event is logged if an application component switched to restricted scan mode. The event record specifies the component name and the time it switched to restricted scan mode.

An infected, corrupted or password-protected object has been detected

Informational message

Such an event is logged if the Notifications node has the Log the following events to Windows Event Log check box selected in the notification subject corresponding to the event and an infected, corrupted, or protected object is detected.

An attachment file whose parameters match the attachment filtering conditions has been detected

Informational message

Such an event is logged if the Notifications node has the Log the following events to Windows Event Log check box selected in the notification subject corresponding to the event and an infected file attachment matching the attachment filtering criteria is detected.

Outgoing spam message or phishing message detected

Informational message

Such an event is logged if the application detected an outgoing email message containing spam or phishing content. The event record contains information about the message.

Application component error

Critical event

Such an event is logged if the application registers any errors in the operation of a component. The event record specifies the component name and the error description.

By default, events related to triggers are stored in the Kaspersky Security Center Event Log for 30 days. You can change this setting in the Kaspersky Security Center Console.

Kaspersky Security events related to the Anti-Virus database and the Anti-Spam database in the Kaspersky Security Center Event Log

Event

Event importance level

Description

Anti-Virus databases are up to date

Informational message

Such an event is logged if the application anti-virus databases have been updated to the latest version. The event record specifies the database release date.

Anti-Virus databases are out of date

Critical event

Such an event is logged if the Anti-Virus databases were last updated more than 24 hours ago.

Anti-Spam databases are outdated

Warning

Such an event is logged if the Anti-Spam databases were last updated more than 5 hours ago.

Anti-Virus databases update error is fixed. Anti-Virus databases have been updated successfully

Informational message

Such an event is logged if an Anti-Virus database update error is fixed and the databases are successfully updated. The event record specifies the database type and release date.

Database update error

Critical event

Such an event is logged if an update of the application databases fails. The event record specifies the database type and the error description.

Anti-Spam databases have been updated

Informational message

Such an event is logged if the Anti-Spam databases have been updated to the latest version. The event record specifies the database type and release date.

Anti-Spam databases update error is fixed. Anti-Spam databases have been updated successfully

Informational message

Such an event is logged if an Anti-Spam database update error is fixed in the application and the databases are successfully updated. The event record specifies the database type and release date.

By default, events related to the application database are stored in the Kaspersky Security Center Event Log for 30 days. You can change this setting in the Kaspersky Security Center Console.

Kaspersky Security events related to application access to the SQL server in the Kaspersky Security Center Event Log

Event

Event importance level

Description

Error connecting to the SQL Server

Critical event

Such an event is logged if the application registers an error on the SQL server. The event record specifies the database name, the SQL server name, and the error description.

Connection to the SQL Server is restored

Informational message

Such an event is logged if access to the SQL database is restored.

By default, events related to the application database are stored in the Kaspersky Security Center Event Log for 30 days. You can change this setting in the Kaspersky Security Center Console.

Kaspersky Security events related to application licensing in the Kaspersky Security Center Event Log

Event

Event importance level

Description

An action was performed on the Security Server key

Informational message

Such an event is logged if the key status, license expiration date, number of users, or license type have changed. The event record specifies the key, the license type, the license expiration date, and the number of license users.

User has performed an action on the Security Server key

Informational message

Such an event is logged if the user performed an action on the Security Server key. The event record specifies the user account.

Active key is not detected

Critical event

Such an event is logged if the Notifications node has the Log events to Windows Event Log and Kaspersky Security Center Event Log check box selected in the notification subject corresponding to the event and an active key is not detected.

License expired

Critical event

Such an event is logged if the Notifications node has the Log events to Windows Event Log and Kaspersky Security Center Event Log check box selected in the notification subject corresponding to the event, the Notify about license expiration in advance (days before) setting is configured, and the primary license expired. The event record specifies the key, the license expiration date, and the number of days left until this date.

License is about to expire

Warning

Such an event is logged if the Notifications node has the Log events to Windows Event Log and Kaspersky Security Center Event Log check box selected in the notification subject corresponding to the event and the primary license expires soon. The event record specifies the key, the license expiration date, and the number of days left until this date.

License status has not been updated in a long time

Warning

Such an event is logged if the Log events to Windows Event Log and Kaspersky Security Center Event Log check box is selected in the Notifications node and the application was not able to update the license status. The event record specifies the key, the license expiration date, and the number of days left until the application switches to limited functionality mode.

Error occurred when updating license status

Critical event

Such an event is logged if the Log events to Windows Event Log and Kaspersky Security Center Event Log check box is selected in the Notifications node, the application was not able to update the license status, and the license update period has expired. The event record provides a description of the cause of the error.

By default, events related to application licensing are stored in the Kaspersky Security Center Event Log for 30 days. You can change this setting in the Kaspersky Security Center Console.

Kaspersky Security events related to the DLP Module in the Kaspersky Security Center Event Log

Event

Event importance level

Description

Kaspersky Lab categories updated

Informational message

Such an event is logged if Kaspersky Lab categories were updated during the application database update. The event record specifies the names of categories that have been updated, as well as their brief descriptions.

User has attempted to send an incident to his/her own email address

Warning

Such an event is logged if the security officer requested the details of an incident to be sent to his or her email address.

User attempted to archive incidents

Warning

Such an event is logged if the security officer attempted to create an archive of incidents.

New incident created during DLP Module operation

Warning

Such an event is logged if an email message that violates the security policy is detected, and if a new incident was created based on the results of DLP Module operation.

User attempted to save an object attached to the incident to disk

Warning

Such an event is logged if the security officer requested an incident-attached object to be saved to disk.

By default, events related to the DLP Module are not stored in the Kaspersky Security Center Event Log. You can change this setting in the Kaspersky Security Center Console.

Kaspersky Security events related to monitoring and audit in the Kaspersky Security Center Event Log

Event

Event importance level

Description

Anti-Virus for the Hub Transport role is enabled

Informational message

Such an event is logged if the application registers the enabling of the Anti-Virus for the Hub Transport role component.

Anti-Virus for the Hub Transport role is disabled

Warning

Such an event is logged if the application registers the disabling of the Anti-Virus for the Hub Transport role component.

Anti-Virus for the Mailbox role is enabled

Informational message

Such an event is logged if the application registers the enabling of the Anti-Virus for the Mailbox role component.

Anti-Virus for the Mailbox role is disabled

Warning

Such an event is logged if the application registers the disabling of the Anti-Virus for the Mailbox role component.

Anti-Spam is enabled

Informational message

Such an event is logged if the application registers the enabling of the Anti-Spam component.

Anti-Spam is disabled

Warning

Such an event is logged if the application registers the disabling of the Anti-Spam component.

A background scan task has been stopped

Informational message

Such an event is logged if the background scan was stopped. The event record specifies the reason for the scan stop.

Anti-Virus scan statistics

Informational message

Such an event is logged if the on-demand scan has been run manually or automatically (by schedule). The event record specifies the run type.

DLP Module is enabled

Informational message

Such an event is logged if the application registers the enabling of the DLP Module.

DLP Module is disabled

Warning

Such an event is logged if the application registers the disabling of the DLP Module.

User has changed application settings

Informational message

Such an event is logged if the user has changed application settings. The event record specifies the user account that changed the settings as well as detailed information about the changed application settings.

User has attempted to start a background scan

Informational message

Such an event is logged if the user requested the on-demand scan task to run. The event record specifies the user account.

User has attempted to stop a background scan

Informational message

Such an event is logged if the user attempted to stop a background scan task. The event record specifies the user account and the reason for stopping the task.

Attachment filtering is enabled

Informational message

Such an event is logged if the application registers the enabling of the Attachment Filtering component.

Attachment filtering is disabled

Warning

Such an event is logged if the application registers the disabling of the Attachment Filtering component.

By default, events related to monitoring and audit are stored in the Kaspersky Security Center Event Log for 30 days. You can change this setting in the Kaspersky Security Center Console.

Kaspersky Security events related to Backup in the Kaspersky Security Center Event Log

Event

Event importance level

Description

User has sent a backup object to email address(es)

Informational message

Such an event is logged if the user attempted to send a probably infected object from Backup to recipients. The event record specifies detailed information about the object and the user account.

User has sent a backup object to Kaspersky Lab for analysis

Informational message

Such an event is logged if the user sent a possibly infected object from Backup to Kaspersky Lab for examination. The event record specifies detailed information about the object and the user account.

User has sent a message marked as spam to Kaspersky Lab for analysis

Informational message

Such an event is logged if the user attempted to send an object from Backup to Kaspersky Lab for analysis but the application identified the object as spam by mistake. The event record specifies detailed information about the object and the user account.

User has attempted to save a Backup object to disk

Informational message

Such an event is logged if the user requested to save an object from Backup to disk. The event record specifies detailed information about the object and the user account.

User has removed an object from Backup

Informational message

Such an event is logged if an object was deleted from Backup. The event record specifies detailed information about the object and the user account, if the object was deleted by a user. The application deletes an object according to the Backup settings.

By default, events related to Backup are not stored in the Kaspersky Security Center Event Log. You can change this setting in the Kaspersky Security Center Console.

Page top