Viewing events

You can view events in the following ways:

To get information about all events in the event log, run the following command:

kics-control -E --query|less

By default, the application stores up to 500,000 events. You can use the less command to navigate through the list of displayed events.

You can view specific events using the application's event store query system.

When creating a query, indicate the required field, select a comparison operator, and specify the desired value. The value must be specified in single quotation marks ('), and the whole query must be specified in double quotation marks ("):

--query "<field> <comparison operator> '<value>' [and <field> <comparison operator> '<value>' *]"

You can specify a date value in UNIX time (the number of seconds that have elapsed since 00:00:00 (UTC), January 1, 1970) or in YYYY-MM-DD hh:mm:ss format. The user specifies the date and time in the user's local time zone, and the application displays them in the same time zone.

ThreatDetected example:

EventType=ThreatDetected

EventId=2671

Initiator=Product

Date=2020-04-30 17:17:17

DangerLevel=Critical

FileName=/root/eicar.com.txt

ObjectName=File

TaskName=File_Monitoring

RuntimeTaskId=2

TaskId=1

DetectName=EICAR-Test-File

TaskType=OAS

FileOwner=root

FileOwnerId=0

DetectCertainty=Sure

DetectType=Virware

DetectSource=Local

ObjectId=1

AccessUser=root

AccessUserId=0

Query examples:

Get all events by the EventType field:

kics-control -E --query "EventType == 'ThreatDetected'"

Display all events with the specified values of the EventType and FileName fields:

kics-control -E --query "EventType == 'ThreatDetected' and FileName like '%eicar%'"

Get events generated by File_Threat_Protection task after the date specified in UNIX™ time (the number of seconds that have elapsed since 00:00:00 (UTC), January 1, 1970):

kics-control -E --query "TaskName == 'File_Threat_Protection' and Date > '1588253494'"

Get all events generated by the File_Threat_Protection task after the date specified in YYYY-MM-DD hh:mm:ss format:

kics-control -E --query "TaskName == 'File_Threat_Protection' and Date > '2022-11-22 18:42:54'"

Page top