Administration Server critical events

The table below shows the event types of Kaspersky Security Center Administration Server that have the Critical importance level.

For each event that can be generated by an application, you can specify notification settings and storage settings on the Event configuration tab in the application policy. For Administration Server, you can additionally view and configure the event list in the Administration Server properties. If you want to configure notification settings for all the events at once, configure general notification settings in the Administration Server properties.

If you specified the port in the Administration Server properties window in the Administration Console, Kaspersky Security Center publishes its metrics and critical events to be obtained by Prometheus, a system for monitoring and alerting. Prometheus obtains the metrics and critical events, and then generates alerts for each event.

Administration Server critical events

Event type display name

Event type ID

Event type

Description

Default storage term

License limit has been exceeded

4099

KLSRV_EV_LICENSE_CHECK_MORE_110

Once a day Kaspersky Security Center checks whether a license limit is exceeded.

Events of this type occur when Administration Server detects that some licensing limits are exceeded by Kaspersky applications installed on client devices and if the number of currently used licensing units covered by a single license exceeds 110% of the total number of units covered by the license.

Even when this event occurs, client devices are protected.

You can respond to the event in the following ways:

  • Look through the managed devices list. Delete devices that are not in use.
  • Provide a license for more devices (add a valid activation code or a key file to Administration Server).

Kaspersky Security Center determines the rules to generate events when a license limit is exceeded.

180 days

Virus outbreak

26 (for File Threat Protection)

GNRL_EV_VIRUS_OUTBREAK

Events of this type occur when the number of malicious objects detected on several managed devices exceeds the threshold within a short period.

You can respond to the event in the following ways:

180 days

Virus outbreak

27 (for Mail Threat Protection)

GNRL_EV_VIRUS_OUTBREAK

Events of this type occur when the number of malicious objects detected on several managed devices exceeds the threshold within a short period.

You can respond to the event in the following ways:

180 days

Virus outbreak

28 (for firewall)

GNRL_EV_VIRUS_OUTBREAK

Events of this type occur when the number of malicious objects detected on several managed devices exceeds the threshold within a short period.

You can respond to the event in the following ways:

180 days

Device has become unmanaged

4111

KLSRV_HOST_OUT_CONTROL

Events of this type occur if a managed device is visible on the network but has not connected to Administration Server for a specific period.

Find out what prevents the proper functioning of Network Agent on the device. Possible causes include network issues and removal of Network Agent from the device.

180 days

Device status is Critical

4113

KLSRV_HOST_STATUS_CRITICAL

Events of this type occur when a managed device is assigned the Critical status. You can configure the conditions under which the device status is changed to Critical.

180 days

The key file has been added to the denylist

4124

KLSRV_LICENSE_BLACKLISTED

Events of this type occur when Kaspersky has added the activation code or key file that you use to the denylist.

Contact Technical Support for more details.

180 days

Limited functionality mode

4130

KLSRV_EV_LICENSE_SRV_LIMITED_MODE

Events of this type occur when Kaspersky Security Center starts to operate with basic functionality, without Vulnerability and patch management and without Mobile Device Management features.

Following are causes of, and appropriate responses to, the event:

  • License term has expired. Provide a license to use the full functionality mode of Kaspersky Security Center (add a valid activation code or a key file to Administration Server).
  • Administration Server manages more devices than specified by the license limit. Move devices from the administration groups of an Administration Server to those of another Administration Server (if the license limit of the other Administration Server allows).

180 days

License expires soon

4129

KLSRV_EV_LICENSE_SRV_EXPIRE_SOON

Events of this type occur when the commercial license expiration date is approaching.

Once a day Kaspersky Security Center checks whether a license expiration date is approaching. Events of this type are published 30 days, 15 days, 5 days and 1 day before the license expiration date. You cannot change the number of days. If the Administration Server is turned off on the specified day before the license expiration date, the event will not be published until the next day.

When the commercial license expires, Kaspersky Security Center provides only basic functionality.

You can respond to the event in the following ways:

  • Make sure that a reserve license key is added to Administration Server.
  • If you use a subscription, make sure to renew it. An unlimited subscription is renewed automatically if it has been prepaid to the service provider by the due date.

180 days

Certificate has expired

4132

KLSRV_CERTIFICATE_EXPIRED

Events of this type occur when the Administration Server certificate for Mobile Device Management expires.

You need to update the expired certificate.

180 days

Updates for Kaspersky application modules have been revoked

4142

KLSRV_SEAMLESS_UPDATE_REVOKED

Events of this type occur if seamless updates have been revoked (Revoked status is displayed for these updates) by Kaspersky technical specialists; for example, they must be updated to a newer version. The event concerns Kaspersky Security Center patches and does not concern modules of managed Kaspersky applications. The event provides the reason that the seamless updates are not installed.

180 days

Audit: Export to SIEM failed

5130

KLAUD_EV_SIEM_EXPORT_ERROR

Events of this type occur when exporting events to the SIEM system failed due to a connection error with the SIEM system.

180 days

See also:

Administration Server functional failure events

Administration Server informational events

Administration Server warning events

About events in Kaspersky Security Center

Page top