You can configure persistent local storage of security events. This lets you save events locally, regardless of whether they have been sent to the SIEM system.
By default, security events are saved in the /var/security-events/ directory. Events of different types are recorded in the same file. The maximum size of one file is 100 MB. A new file is started when the current file exceeds the maximum size or, if the size limit is not exceeded, every hour.
To enable persistent local storage of security events:
This opens the Policy tab.
Persistent local storage of security events is enabled.
You can use SSH or SCP to download locally stored security event files from a Kaspersky NGFW device. If you want to download files via SSH, you need to connect to Kaspersky NGFW as to a server. After downloading, the files also remain on the Kaspersky NGFW device.
Use shell commands only in accordance with their descriptions in this Kaspersky NGFW Help or when instructed to do so by Kaspersky Technical Support. In other cases, we recommended using the Kaspersky NGFW command line.
You can view the list of security events and the list of files, and delete event files on the command line using the system family of commands. For a description of command families and a link to the complete list of Kaspersky NGFW configuration commands, see the Managing Kaspersky NGFW using the command line document.