Kaspersky Endpoint Security 12 for Linux

Viewing events in the command line

July 22, 2024

ID 264029

In the command line, you can view:

  • Current application events
  • Events in the application event log

Displaying current events

You can output information about all current application events or about current events associated with starting or stopping a specified task. You can use the filter to output certain current events, for example, events of a specified type.

To output information about all current application events, run:

kesl-control -W

The command returns the name of the event and additional information about the event.

To output only information about current events associated with a running task, run:

kesl-control --start-task <task ID/name> -W

Example:

Enable display of the current events of the running task with ID=1:

kesl-control --start-task 1 -W

To output information about current events that match the filter conditions, run:

kesl-control -W --query "<filter conditions>"

filter conditions are set with one or more logical expressions in the format <field> <comparison operator> '<value>', combined with the help of the logical operator and.

Example:

Display TaskStateChanged events:

kesl-control -W --query "EventType == 'TaskStateChanged'"

Example:

Display TaskSettingsChanged events initiated by the 'User' user:

kesl-control -W --query "EventType == 'TaskSettingsChanged' and Initiator == 'User'""

Displaying events from the event log

You can output information about events from the application event log to the console or a file. You can use a filter to display only certain events.

To output information about all events in the application event log, run:

kesl-control -E --query [--db <database file>]

where:

  • <database file> is the full path to the event log database file to output events from. By default, the application saves information about events to the database at /var/opt/kaspersky/kesl/private/storage/events.db. The location of the database is determined by the EventsStoragePath global application setting.

You can use less to navigate the list of displayed events. By default, the application stores up to 500,000 events. The maximum number of events that the application stores is determined by the MaxEventsNumber general application setting.

If the event log is located in the default database, you can output information about all events using the command:

kesl-control -E

To output information about events in the application event log that meet certain criteria, run:

kesl-control -E --query "<filter conditions>" [--db <database file>] [-n <number>] [--json] [--reverse]

where:

  • <filter conditions>: one or several logical expressions in the format <field> <comparison operator> '<value >', combined with the help of the logical operator and to limit the results.
  • <number> – number of the latest events of the selection (number of records from the end of the selection) to be displayed.
  • --json: output events in JSON format.
  • --reverse: display events in reverse order (from the newest event at the top to the oldest at the bottom).

To output information about events in the application event log that meet certain criteria to a file, run:

kesl-control -E --query "<filter conditions>" [--db <database file>] [-n <number>] --file <file name and path> [--json]

where --file <file name and path> is the full path to the file to output events to.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.