Configuring log settings in Administration Plug-in
You can edit the following settings of Kaspersky Security for Windows Server logs:
Length of the storage period for events in task logs and the system audit log.
Location of the folder in which Kaspersky Security for Windows Server stores task log files and the system audit log file.
Events generation thresholds for Application database is out of date, Application database is extremely out of date and Critical areas scan has not been performed for a long time.
Events that Kaspersky Security for Windows Server saves in task logs, the system audit log, and the event log of Kaspersky Security for Windows Server in Event Viewer.
Settings for publishing audit events and task performance events to the syslog server via the Syslog protocol.
To configure Kaspersky Security for Windows Server logs, perform the following steps:
In the Application Console tree, open the context menu of the Logs and notifications node and select Properties.
The Logs and notifications settings window opens.
In the Logs and notifications settings window, configure the logs in accordance with your requirements. To do this, perform the following actions:
On the General tab, if necessary, select events that Kaspersky Security for Windows Server will save in task logs, the system audit log, and the event log of Kaspersky Security for Windows Server in Event Viewer. To do this, perform the following actions:
In the Component list, select the component of Kaspersky Security for Windows Server for which you want to set the detail level.
For the Real-Time File Protection, RPC Network Storage Protection, ICAP Network Storage Protection, Script Monitoring, On-Demand Scan, and Update components, events are recorded in tasks logs and the event log. For these components, the event table contains the Task log and Windows Event Log columns. Events for the Quarantine and Backup components are registered in the system audit log and the event log. For these components, the event table contains the Audit and Windows Event Log columns.
In the Importance level list, select a detail level for events in task logs, the system audit log, and the event log for the selected component.
In the following table with a list of events, the check boxes are selected next to events that are registered in task logs, the system audit log, and the event log, according to the current detail level.
If you want to manually enable registration of specific events for a selected component, perform the following actions:
In the Importance level list, select Custom.
In the table with the list of events, select the check boxes next to events that you want to be registered in task logs, the system audit log, and the event log.
On the Advanced tab, configure the log storage settings and event generation thresholds for device protection status:
Path to the log folder in UNC (Universal Naming Convention) format.
Default path: C:\ProgramData\Kaspersky Lab\Kaspersky Security for Windows Server\11\Reports\.
If the default path is changed, a folder with a corresponding name is created. The new logs will be stored in the new folder. The old logs will be preserved.
The check box enables / disables a function that deletes logs with the results of completed tasks and events published in the logs of running tasks after the specified period of time (default value: 30 days).
If the check box is selected, Kaspersky Security for Windows Server deletes logs with the results of completed tasks and events published in the logs of running tasks after the specified period of time.
The check box enables / disables a function that deletes events recorded in the system audit log after the specified period of time (default value: 60 days).
If the check box is selected, Kaspersky Security for Windows Server deletes events recorded in the system audit log after the specified period of time.
The check box is cleared by default.
In the Event generation thresholds section:
Specify the number of days after which the Application database is out of date, Application database is extremely out of date and Critical areas scan has not been performed for a long time events will occur.
Event generation thresholds
Setting
Event generation thresholds.
Description
You can specify thresholds for generation of the following event types:
Application database is out of date and Application database is extremely out of date. These events occur if the Kaspersky Security for Windows Server database has not been updated during the period (in days) specified by the setting since the release date of the most recently installed database updates. You can configure administrator notifications about this event.
Critical areas scan has not been performed for a long time. This event occurs if none of the tasks marked with the Consider task as critical areas scan check box are performed during the specified number of days.
Possible values
Number of days from 1 to 365.
Default value
Application databases are obsolete – 7 days.
Application databases are extremely out of date – 14 days.
Critical Areas Scan has not been performed for a long time – 30 days.
On the SIEM integration tab, configure the settings for publishing audit events and task performance events to the syslog server.