Records in the application user activity log

Records in the Sandbox user activity log have the CEF format (CEF messages). By looking at a log record, you can understand which event occurred as a result of user actions.

Example of a record about installing a virtual machine image:

CEF:0|AO Kaspersky Lab|Kaspersky Anti Targeted Attack Platform (Sandbox)|7.1.0.530|vm|Managing virtual machines|Low| dvs=<IP> deviceExternalId=ubuntu-server eventId=1965096788380487496 rt=Apr 25 2025 04:59:16 src=<IP> suser=admin cs1=installing the default image cs1label=CentOS7_x64-1.0.0.19888

The example above contains three groups of fields:

CEF:0|AO Kaspersky Lab|Kaspersky Anti Targeted Attack Platform (Sandbox)|7.1.0.530|vm|Managing virtual machines|Low| — header fields.
dvs=<IP> deviceExternalId=ubuntu-server eventId=1965096788380487496 rt=Apr 25 2025 04:59:16 src=<IP> suser=admin cs1=installing the default image — fields of the CEF message body that are common to all records.
cs1label=CentOS7_x64-1.0.0.19888 — field specific to actions that have an object. For example, the object of the "installing a virtual machine image" action is a virtual machine image, and the cs1label field contains the name of this image.

Header fields

The header of each message contains the following information:

Format version.
Current version number: 0. Current field value: CEF:0.
Vendor.
Current field value: AO Kaspersky Lab.
Application name.
Current field value: Kaspersky Anti Targeted Attack Platform.
Application version
Current field value: 7.1.1.531.
Event type.
Can contain one of the following values:
- user_account
  Events related to Sandbox user accounts.
- settings
  Events related to Sandbox settings.
- kata
  Events related to the connection between Sandbox and Central Node.
- vm
  Events related to virtual images of operating systems deployed in Sandbox.
Name of the event specified in the header.
Can contain one of the following values:
- Managing user accounts
  Actions on user accounts. Belongs to the user_account type.
- Count of unsuccessful authorization attempts exceeded
  Failed authorization attempt limit exceeded. Belongs to the user_account type.
- Settings
  Editing Sandbox server settings Belongs to the settings type.
- Configuring integration with KATA Central Node
  Configuring integration with Central Node. Belongs to the kata type.
- Managing virtual machines
  Actions with virtual machines. Belongs to the vm type.
Event importance.
Current field value: Low.

Fields common for all events

Fields of the CEF message have the "<key>=<value>" format. Each CEF message contains the following fields:

dvs
IP address of the Sandbox server.
device external ID
Name of the Sandbox server.
eventId
Event ID.
rt
Event date and time.
src
IP address of the user that performed the action.
suser
Name of the user that performed the action.
cs1
Event (see the table below).

Special fields of events

Events and special fields

Event specified in the cs1 field	Special event fields

Managing user accounts
`changing the administrator password`	`cs1label` Name of the user whose password was changed.
`log on`	`cs1label` Name of the user that was authorized.
`log off`	`cs1label` Name of the user that ended the session.
Count of unsuccessful authorization attempts exceeded
`count of unsuccessful authorization attempts`	`cs1label` User name involved in the failed authorization attempt. `cn1` Number of failed authorization attempts.
Settings
`assigning the server name to be used by DNS servers` `configuring DNS settings` `configuring settings of the management interface` `configuring settings of the network interface for internet access of processed objects` `configuring the route settings` `configuring proxy server connection settings` `configuring the date and time on the server` `configuring the time zone on the server` `configuring the synchronization with NTP servers`	`cs1label` Name of the server whose settings were changed.
`saving the configuration` `restoring the configuration`	`cs1label` Name of the server whose settings were saved or restored.
`restarting the server` `powering off the server`	`cs1label` Name of the server that was restarted or powered off.
`downloading the logs` `downloading the user actions log`	`cs1label` Name of the server from which the log files were downloaded.
`selecting a database update source` `updating database manually`	`cs1label` Name of the server on which the anti-virus databases were updated or the update source was changed.
`setting the maximum number of virtual machines`	`cs1label` Number of virtual machines that was specified.
`enabling counting of unsuccessful authorization attempts` `disabling counting of unsuccessful authorization attempts`	`cs1label` Name of the server on which the count of unsuccessful authorization attempts was enabled or disabled.
`modifying the counting period for unsuccessful authorization attempts`	`cs1label` Name of the server on which the period for counting unsuccessful authorization attempts was changed. `cn1` The period in minutes for counting unsuccessful authorization attempts.
`changing user session lock time`	`cs1label` Name of the server on which the maximum duration of user inactivity was changed. `cn1` Maximum duration in minutes of an inactive user session.
Configuring integration with KATA Central Node
`accepting connection to KATA Central Node` `rejecting connection to KATA Central Node` `removing connection to KATA Central Node`	`cs1label` Fingerprint of the Central Node from which the connection request originated.
Managing virtual machines
`importing the default image` `deleting the default image` `unpacking the default image`	`cs1label` Name of the virtual machine image file being uploaded or deleted.
`installing the default image` `deleting the virtual machine deployed from the default image` `cancelling the default images installation`	`cs1label` Name of the virtual machine image that was deployed, removed, or had its installation canceled.
`uploading ISO` `removing ISO`	`cs1label` Name of the ISO image that was uploaded or deleted.
`creating custom template` `importing custom template` `exporting custom template` `enabling custom template` `disabling custom template` `stopping custom template` `deleting custom template`	`cs1label` Name of the custom virtual machine template that was created, imported, exported, enabled, disabled, stopped, or deleted.
`downloading manifest file` `uploading debug symbols`	No special fields.
`mounting ISO to custom template` `unmounting ISO from custom template`	`cs1label` Name of the custom virtual machine template to which the ISO image was mounted or from which the ISO image was unmounted. `cs2label` Name of the mounted or unmounted ISO image.
`creating custom virtual machine from custom template` `deleting custom virtual machine` `changing the custom virtual machine status to "online"` `changing the custom virtual machine status to "enabled"`	`cs1label` Name of the virtual machine that was deployed from a custom image, deleted, or had its status changed.

If an operation is performed on over 30 objects simultaneously, only one entry is logged for this operation. The entry includes the information about the operation and the number of objects on which it was performed.

Page top