About trace files

A trace file lets you track the step-by-step execution of application commands and detect the stage at which an application error occurs.

Trace files are stored on the device as long as the application is in use, and are deleted permanently when the application is removed. Trace files are not sent to Kaspersky automatically.

Trace files are saved in a human-readable format. It is recommended to protect information from unauthorized access before sending it to Kaspersky.

By default, trace files are stored in the directory /var/log/kaspersky/kesl/. Root privileges are required to access the default trace files directory.

Contents of trace files

All trace files contain the following general data:

• Event time.
• Number of the thread of execution.
• Application component that caused the event.
• Degree of event severity (informational event, warning, critical event, error).
• A description of the event involving command execution by a component of the application and the result of execution of this command.

Trace files may store the following information in addition to general data:

• The statuses of the application components and their operational data.
• Data on user activity in the application.
• Data on the hardware installed on the device.
• Data about all operating system objects and events, including information about user activity.
• Data contained in the objects of the operating system (for example, the contents of files that may contain any user personal data).
• Network traffic data (for example, the contents of the entry fields on a website, which may include bank card information or any other sensitive data).
• Data received from Kaspersky servers (such as the version of the application databases).

Trace files of administration plug-ins

If you use the Kaspersky Security Center Administration Console to manage the Kaspersky Endpoint Security application, information about events that occur during operation of the MMC administration plug-in may be logged to a trace file of the Kaspersky Endpoint Security MMC plug-in on the device where the Kaspersky Security Center Administration Server is installed. The file name contains the version number of Kaspersky Endpoint Security, file creation date and time, and process ID (PID). This file contains information about the events that occur during MMC plug-in operation, in particular, about the operation of policies and tasks.

In addition to general data, the trace file may contain the following information:

• Personal data, including the last name, first name, and middle name, if such data is part of the path to files.
• The name of the account used to log in to the operating system if the user account name is part of a file name.

By default, trace files of the Kaspersky Endpoint Security MMC plug-in are not created. You can use registry keys to create the MMC plug-in trace file. Contact Technical Support representatives for detailed information on how to create trace files.

All created trace files of the MMC plug-in are located in the folder specified by the user during registry key configuration.

If you use the Kaspersky Security Center Web Console to manage the Kaspersky Endpoint Security application, information about events that occur during operation of the web administration plug-in may be written to the trace files of the web plug-in:

Trace files for the web plug-in are created automatically if logging of Web Console activities is enabled in Web Console Installation Wizard (for more details, refer to the Kaspersky Security Center Help).

Trace files of the web plug-in are stored in the Web Console installation folder in the "logs" subfolder.