Kaspersky Security events in Windows Event Log
May 15, 2024
ID 127197
This section contains information about basic events in the application operation that are recorded to Windows Event Log. Events related to the Kaspersky Security operation are recorded to Windows Event Log by KSHSecurityService (Kaspersky Security service). Each of those events has a respective fixed event code. Events in this table are sorted by event code in ascending order.
Main events in the application operation
Event code | Task category | Event importance level | Description |
1011 | AntivirusScanner; Dlp; TextCategorizer. | Error | Such an event is logged if the application registers any errors in the operation of a component. The event record specifies the component name and the error description. |
Warning | Such an event is logged if the application registers the disabling of a component. The event record specifies the component name. | ||
Info | Such an event is logged if the application registers the enabling of a component. The event record specifies the component name. | ||
1015 | OAS | Warning | Such an event is logged if the application detects an infected file during an on-access scan. |
1019 | OAS | Warning | Such an event is logged if the application detects unwanted content during an on-access scan. |
1020 | OAS | Warning | Such an event is logged if the application detects a phishing link during an on-access scan. |
1021 | ODS | Info | Such an event is logged if the on-demand scan task has been run manually or automatically (by schedule). The event record specifies the task name and the run type. |
1022 | ODS | Info | Such an event is logged if the on-demand scan task was stopped. The event record specifies the task name and the task stop reason. |
1023 | ODS | Info | Such an event is logged if the user requested the on-demand scan task to run. The event record specifies the user account. |
1024 | ODS | Info | Such an event is logged if the user requested the on-demand scan task to stop. The event record specifies the user account. |
1041 | Updates | Error | Such an event is logged if an update of the application databases fails. The event record specifies the error description. |
1042 | Updates | Info | Such an event is logged if an application database update error is fixed and the databases are successfully updated. The event record specifies the database release date. |
1091 | Updates | Error | Such an event is logged if the application detects that the databases became outdated more than 24 hours ago. The event record specifies the database release date. |
1092 | Updates | Info | Such an event is logged if the application databases have been updated to the latest version. The event record specifies the database release date. |
6200 | Infrastructure | Error | Such an event is logged if an application component switched to restricted scan mode. The event record specifies the component name and the time it switched to restricted scan mode |
7114 | Backup | Info | Such an event is logged if the user deleted a file from Backup. The event record specifies the user account and the file details. |
7115 | Backup | Info | Such an event is logged if the user saves a file from Backup to disk. The event record specifies the user account and the file details. |
7116 | Backup | Info | Such an event is logged if the user restores a file from Backup. The event record specifies the user account and the file details. |
10200 | Licensing | Warning | Such an event is logged if no active key is detected. |
10201 | Licensing | Error | Such an event is logged if the license expired. The event record specifies the key and the license expiration date. |
10202 | Licensing | Warning | Such an event is logged if the Notify about license expiration in advance (days before) setting has been defined. The event record specifies the key, the license expiration date, and the number of days left until this date. |
11010 | Infrastructure | Info | Such an event is logged if the Management Console has been run. The event record specifies the account of the user who has run the Management Console. |
11011 | Infrastructure | Info | Such an event is logged if the Management Console was closed. The event record specifies the account of the user who closed the Management Console. |
16000 | Dlp | Warning | Such an event is logged if the Log events to Windows Event Log and Kaspersky Security Center Event Log setting is defined in the policy or in the Search task and the application detected a file that violates the security policy. |
16012 | Dlp | Warning | Such an event is logged if the security officer requested an incident-attached object to be saved to disk. |
16013 | Dlp | Warning | Such an event is logged if the security officer archived some incidents. |
16100 | Dlp |
| Such an event is logged if the Notify when adding Kaspersky Lab categories setting is defined and Kaspersky Lab categories were updated during the application database update. The event record specifies the names of categories that have been updated, as well as their brief descriptions. |
30000 | Configuration | Info | Such an event is logged if some of the application settings have been modified. The event record specifies the account of the user who modified the settings, the modification scope (for example, Content Filtering), and the new values of the settings. |
31000 | Licensing | Info | Such an event is logged if the key status, license expiration date, number of users, or license type have changed. The event record specifies the key, the license type, the license expiration date, and the number of license users. |
31022 | Licensing | Info | Such an event is logged if the user performed an action on the Security Server key or the DLP Module key. The event record specifies the user account. |
