Configuring automatic saving of traffic for system event types

When editing event types, you can enable or disable automatic saving of traffic for events when they are registered. If saving of traffic is enabled, the network packet that invoked event registration as well as packets before and after event registration are saved in a database. The settings for saving traffic determine the number of saved network packets and time limits.

If automatic saving of traffic is disabled for an event type (and user-defined settings enabling autosaving of traffic are not defined for this event type), you will be able to manually load traffic only after waiting some time after registration of an event of this type. In this case, the application uses traffic dump files to load traffic (these files are temporarily saved and are automatically deleted as more and more traffic is received). When traffic is loaded from these files, the database saves the specific amount of network packets that was defined by default when enabling the saving of traffic for event types.

The application saves traffic in the database only when an event is registered. If the conditions for registering this event are repeated during the event regenerate timeout, traffic at this point in time is not saved in the database.

You can enable and configure the saving of traffic for any event types except a system event type assigned the code 4000002700. An event with the code 4000002700 is registered when there is no traffic at a monitoring point. For this reason, traffic is not expected for this type of event.

If saving of traffic is enabled for incidents (meaning for a system type of event that is assigned the code 8000000001), the application saves traffic for all embedded events of an incident when the incident is registered. The settings defined for the incident are applied when saving traffic of embedded events. However, the traffic storage settings defined directly for event types embedded in an incident take priority over the settings defined for an incident. This means that traffic for embedded events of an incident will be saved according to the settings defined for the specific types of these events. If these settings are not defined, the traffic for embedded events will be saved according to the settings defined for an incident.

To enable and configure the settings for saving traffic for an event type:

1. Connect to the Kaspersky Industrial CyberSecurity for Networks Server through the web interface using the Administrator account.
2. Select Settings → Event types.
3. In the table of event types, select the event type that you want to edit.

   The details area appears in the right part of the web interface window.

4. Click the Edit button.
5. Select the Save traffic toggle switch to Enabled.
6. Configure saving of traffic before event registration. To do so, specify the necessary values in the Packets before event and/or Milliseconds before event fields. If the value is zero, the setting is not applied. If the values are defined in both of these fields, the application will save the minimum amount of packets corresponding to one of the defined values.
7. Configure the saving of traffic after event registration. To do so, specify the necessary values in the Packets after event and/or Milliseconds after event fields. If the value is zero, the setting is not applied. If the values are defined in both of these fields, the application will save the minimum amount of packets corresponding to one of the defined values.

   For certain technologies (particularly Deep Packet Inspection), fewer post-registration packets than defined by the settings for saving traffic may be saved in events. This is due to the technological specifics of traffic monitoring.

8. Click Save.