Data in logs and trace files

Kaspersky Anti Targeted Attack Platform records user action logs and particular actions of the program components. Logs may contain all data displayed in the information about alerts, policies, events, tasks, and task results.

Data on the Central Node server is stored in open, non-encrypted form and is deleted on a rotational basis when the maximum allowed file size is reached. Logs store data for the last 7 days, and that data is permanently deleted when the program is uninstalled.

The Kaspersky Anti Targeted Attack Platform administrator must independently ensure the security of this data.

Kaspersky Anti Targeted Attack Platform writes data to the following logs:

  1. Processing history log. This is stored in the file /var/log/kaspersky/apt-history/apt-history.log on the Central Node and Sensor servers. This log records the stages involved in processing objects, modifications made to settings, information about the completion of tasks and preventions, so that such information can be subsequently used for the purposes of troubleshooting and improving the quality of the program. The data that is written to the processing history log is listed below.
    1. Information about a scanned file:
      • MD5 hash of the scanned file.
      • File processing date.
      • Scan result.
      • Version of the database used to scan the file.
      • Kernel that was involved in scanning the file.
    2. Information about processing a file or URL based on a white list:
      • Name, type, size of the file, file path, MD5 hash and SHA256 hash of the file, and the URL from which the file was downloaded.
      • URL.
      • White list rule.
      • IP address and port of the computer that established the connection (client).
      • IP address and port of the computer from which the connection was established (server).
      • Type of HTTP request (GET, POST).
      • Date and time of the request (with precision up to the second).
      • User Agent (browser data) of the client.
      • Referrer.
      • Type of DNS message (request, response).
      • Type of DNS request (A, MX).
      • Date and time of the DNS message (with precision up to the second).
      • List of all IP servers (for A-record DNS response).
      • List of all domain names of mail servers, and all IP addresses associated with the A-record (for MX-record DNS response).
      • Value of the triggered white list rule: email address, IP address, domain, type of file, and MD5 hash of the file.
    3. Information about processing an email according to the white list:
      • Information about the message: email addresses of the sender and recipients.
      • Subject of the message.
    4. Instance of alert generation:
      • Alert importance.
      • Date and time when the event is detected.
      • Modules and technologies employed to scan the file.
      • Results of the scan by modules and technologies.
      • MD5 hash of the scanned file.
      • Scanned URL.
    5. Creation of tasks for computers with the Endpoint Sensors component:
      • Task ID, creation time, task execution timeout, and task type.
      • IP address, and name of the host to which the task is assigned.
      • Name, path to the requested file, and MD5 hash of the requested file.
      • Task priority.
    6. Processing of task execution results for computers with the Endpoint Sensors component:
      • Path of the temporary file of the package from the computer with the Endpoint Sensors component, and package size.
      • Host name and IP address of the computer with the Endpoint Sensors component.
      • Version of the report from the computer with the Endpoint Sensors component.
      • Details of file scan results.
      • Process ID, and number of memory areas.
      • Indicator of successful task processing.
      • Description of the error that occurred when processing tasks of the computer with the Endpoint Sensors component. In addition to technical information, the error description may contain the following user data:
        • Paths to files located on the computer with the Endpoint Sensors component.
        • Email messages: message body, attachments, email addresses of the sender and recipients of the message, IP address of the message sender, information contained in service headers of the message, and the email message ID.
        • Contents of files.
        • URLs extracted from the email message from which a file was downloaded or that the user clicked through.
        • User account name, IP address and name of the user's computer.
        • MachineID of the user's computer.
        • UID of the user's computer in KSC.
        • Unique ID of the computer from the Endpoint Sensors component.
        • MAC address of the user's computer.
    7. Policy management:
      • Prevention ID, data and time of modifications made to the prevention.
      • MD5- or SHA256 hash of the file.
      • Unique ID of the computer from the Endpoint Sensors component.
      • Prevention name.
      • MachineID of the host.
  2. Audit log. This is stored in the file /var/log/kaspersky/apt-audit.log on the Central Node and Sensor servers. The log records actions taken on accounts, settings, and changes to the operating statuses of program components, so that such information can be subsequently used for troubleshooting purposes. The data that is written to the audit log is listed below.
    1. Information about modifications to the white list:
      • User account name.
      • Value of the white list element: MD5 hash, format, URL mask, subnet, User Agent (browser data), and email address.
    2. Statuses of program components:
      • Time, component name, IP address, status, and error description.
      • Database update status.
    3. Actions on user accounts:
      • Event type (creation, modification, deletion).
      • Date and time.
      • User account name.
      • IP address of the user's computer.
      • User role.
      • User status (active/user operations suspended).
      • Name of the user account that made the modification.
    4. Modification to VIP group entries:
      • Event type.
      • Date and time.
      • Name of the user that created or modified the VIP group entry.
      • IP address, FQDN of the computer, and email address.
    5. Actions taken on alerts:
      • Alert ID.
      • Name of the user account that performed the action on the alert.
  3. The system log and trace files are stored on the Central Node and Sensor servers. The system log is saved in the directory /var/log. Trace files are saved in the directory /var/log/kaspersky.

Trace files in open (non-encrypted) form may contain the same data that is included in the scope of data on alerts, policies, events, tasks, and task results. You can configure trace files to be written to syslog (in Technical Support Mode).

The system log records general information about the status of the program, as well as errors and exceptions in the operation of various components of the program (including from a third-party developer) and the operating system.

In addition to data on alerts, policies, events, tasks, and task results, trace files and system logs may also contain the following user data:

  1. Paths to files on the local computer.
  2. Email messages: message body, attachments, email addresses of the sender and recipients of the message, IP address of the message sender, information contained in service headers of the message, and the message ID.
  3. Contents of files.
  4. URL:
    • extracted from the email message
    • used to download a file
    • clicked through by the user
  5. User account name, IP address and name of the user's computer.
  6. MachineID of the user's computer.
  7. UID of the user's computer in KSC.
  8. Unique ID of the computer from the Endpoint Sensors component.
  9. MAC address of the user's computer.

See also

Data of the Central Node and Sensor components

Data in alerts

Data in events

Targeted Attack Analyzer data

Data in reports

Data on objects in Backup

Data on program settings
Page top