System audit

For Linux systems only.

Kaspersky Scan Engine includes the system audit functionality. If the Kaspersky Scan Engine GUI is used, system audit is enabled by default and cannot be disabled. Also, when you turn on syslog logging, Kaspersky Scan Engine prompts you to turn on system audit as well.

With the system audit, it is much easier to monitor the functioning Kaspersky Scan Engine and to analyze security incidents when they happen.

In order to analyze incidents, you might need to gather the following information:

• Who or what initiated the events related to the incident.
• What actions did the initiator take, and whether or not they were successful.
• If a Kaspersky Scan Engine user is the initiator, then who granted the user access rights.
• How the Kaspersky Scan Engine settings have changed.

On the Kaspersky Scan Engine dashboard, you can find information about initiators of events and events details.

Users that have the role Operator can only view events related to scanning and events initiated by themselves. Users that have the role Administrator can view information without limitations. See also the detailed information about the user roles.

If you do not use the Kaspersky Scan Engine GUI, you can find information about events in the syslog messages.

In this section Identification of the event initiator Getting detailed information about events on the dashboard Getting detailed information about events from the syslog

Page top