Kaspersky Security events in Kaspersky Security Center
April 2, 2024
ID 133609
This section contains accumulated information on application events that are written to the event log of the Kaspersky Security Center Administration Server.
Kaspersky Security Center also lets you export Kaspersky Security events to SIEM systems via the Syslog protocol.
For more detailed information about working with application events and policies using the Kaspersky Security Center Administration Server, please refer to the Kaspersky Security Center Administrator's Guide.
Kaspersky Security events related to triggers in the Kaspersky Security Center Event Log
Event | Event importance level | Description |
Limited scan mode enabled | Critical event | Such an event is logged if an application component switched to restricted scan mode. The event record specifies the component name and the time it switched to restricted scan mode. |
An infected or password-protected object was detected | Informational message | Such an event is logged if the Notifications node has the Log events to Windows Event Log check box selected in the notification subject corresponding to the event and an infected or protected object is detected. |
An attachment file or content whose parameters match the filtering criteria has been detected | Informational message | Such an event is logged if the Notifications node has the Log events to Windows Event Log check box selected in the notification subject corresponding to the event and an infected file attachment matching the attachment filtering criteria is detected. |
Outgoing spam message or phishing message detected | Informational message | Such an event is logged if the application detected an outgoing email message containing spam or phishing content. The event record contains information about the message. |
Application component error | Critical event | Such an event is logged if the application registers any errors in the operation of a component. The event record specifies the component name and the error description. |
By default, events related to triggers are stored in the Kaspersky Security Center Event Log for 30 days. You can change this setting in the Kaspersky Security Center Console.
Kaspersky Security events related to the Anti-Virus database and the Anti-Spam database in the Kaspersky Security Center Event Log
Event | Event importance level | Description |
Anti-Virus databases are up to date | Informational message | Such an event is logged if the application anti-virus databases have been updated to the latest version. The event record specifies the database release date. |
Anti-Virus databases are out of date | Critical event | Such an event is logged if the Anti-Virus databases were last updated more than 24 hours ago. |
Anti-Spam databases are outdated | Warning | Such an event is logged if the Anti-Spam databases were last updated more than 5 hours ago. |
Anti-Virus databases update error is fixed. Anti-Virus databases have been updated successfully | Informational message | Such an event is logged if an Anti-Virus database update error is fixed and the databases are successfully updated. The event record specifies the database type and release date. |
Database update error | Critical event | Such an event is logged if an update of the application databases fails. The event record specifies the database type and the error description. |
Anti-Spam databases have been updated | Informational message | Such an event is logged if the Anti-Spam databases have been updated to the latest version. The event record specifies the database type and release date. |
Anti-Spam databases update error is fixed. Anti-Spam databases have been updated successfully | Informational message | Such an event is logged if an Anti-Spam database update error is fixed in the application and the databases are successfully updated. The event record specifies the database type and release date. |
By default, events related to the application database are stored in the Kaspersky Security Center Event Log for 30 days. You can change this setting in the Kaspersky Security Center Console.
Kaspersky Security events related to application access to the SQL server in the Kaspersky Security Center Event Log
Event | Event importance level | Description |
Error connecting to the SQL Server | Critical event | Such an event is logged if the application registers an error on the SQL server. The event record specifies the database name, the SQL server name, and the error description. |
Connection to the SQL Server is restored | Informational message | Such an event is logged if access to the SQL database is restored. |
By default, events related to the application database are stored in the Kaspersky Security Center Event Log for 30 days. You can change this setting in the Kaspersky Security Center Console.
Kaspersky Security events related to application licensing in the Kaspersky Security Center Event Log
Event | Event importance level | Description |
An action was performed on the Security Server key | Informational message | Such an event is logged if the key status, license expiration date, number of users, or license type have changed. The event record specifies the key, the license type, the license expiration date, and the number of license users. |
User has performed an action on the Security Server key | Informational message | Such an event is logged if the user performed an action on the Security Server key. The event record specifies the user account. |
Active key is not detected | Critical event | Such an event is logged if the Notifications node has the Log events to Windows Event Log and Kaspersky Security Center Event Log check box selected in the notification subject corresponding to the event and an active key is not detected. |
License expired | Critical event | Such an event is logged if the Notifications node has the Log events to Windows Event Log and Kaspersky Security Center Event Log check box selected in the notification subject corresponding to the event, the Notify about license expiration in advance (days before) setting is configured, and the primary license expired. The event record specifies the key, the license expiration date, and the number of days left until this date. |
License is about to expire | Warning | Such an event is logged if the Notifications node has the Log events to Windows Event Log and Kaspersky Security Center Event Log check box selected in the notification subject corresponding to the event and the primary license expires soon. The event record specifies the key, the license expiration date, and the number of days left until this date. |
License status has not been updated in a long time | Warning | Such an event is logged if the Log events to Windows Event Log and Kaspersky Security Center Event Log check box is selected in the Notifications node and the application was not able to update the license status. The event record specifies the key, the license expiration date, and the number of days left until the application switches to limited functionality mode. |
Error occurred when updating license status | Critical event | Such an event is logged if the Log events to Windows Event Log and Kaspersky Security Center Event Log check box is selected in the Notifications node, the application was not able to update the license status, and the license update period has expired. The event record provides a description of the cause of the error. |
By default, events related to application licensing are stored in the Kaspersky Security Center Event Log for 30 days. You can change this setting in the Kaspersky Security Center Console.
Kaspersky Security events related to monitoring and audit in the Kaspersky Security Center Event Log
Event | Event importance level | Description |
Anti-Virus for the Hub Transport role is enabled | Informational message | Such an event is logged if the application registers the enabling of the Anti-Virus for the Hub Transport role component. |
Anti-Virus for the Hub Transport role is disabled | Warning | Such an event is logged if the application registers the disabling of the Anti-Virus for the Hub Transport role component. |
Anti-Virus for the Mailbox role is enabled | Informational message | Such an event is logged if the application registers the enabling of the Anti-Virus for the Mailbox role component. |
Anti-Virus for the Mailbox role is disabled | Warning | Such an event is logged if the application registers the disabling of the Anti-Virus for the Mailbox role component. |
Anti-Spam is enabled | Informational message | Such an event is logged if the application registers the enabling of the Anti-Spam component. |
Anti-Spam is disabled | Warning | Such an event is logged if the application registers the disabling of the Anti-Spam component. |
A background scan task has been stopped | Informational message | Such an event is logged if the background scan was stopped. The event record specifies the reason for the scan stop. |
Virus scan statistics | Informational message | Such an event is logged if the on-demand scan has been run manually or automatically (by schedule). The event record specifies the run type. |
User has changed application settings | Informational message | Such an event is logged if the user has changed application settings. The event record specifies the user account that changed the settings as well as detailed information about the changed application settings. |
User has attempted to start a background scan | Informational message | Such an event is logged if the user requested the on-demand scan task to run. The event record specifies the user account. |
User has attempted to stop a background scan | Informational message | Such an event is logged if the user attempted to stop a background scan task. The event record specifies the user account and the reason for stopping the task. |
Attachment and content filtering is enabled | Informational message | Such an event is logged if the application registers the enabling of the Attachment Filtering component. |
Attachment and content filtering is disabled | Warning | Such an event is logged if the application registers the disabling of the Attachment Filtering component. |
By default, events related to monitoring and audit are stored in the Kaspersky Security Center Event Log for 30 days. You can change this setting in the Kaspersky Security Center Console.
Kaspersky Security events related to Backup in the Kaspersky Security Center Event Log
Event | Event importance level | Description |
User sent an object from Backup to its original recipients | Informational message | Such an event is logged if the user attempted to send an object from Backup to its original recipients. The event record specifies detailed information about the object and the user account. |
User sent an object from Backup to manually specified email addresses | Informational message | Such an event is logged if the user attempted to send an object from Backup to manually specified email addresses. The event record specifies detailed information about the object and the user account. |
User has sent a backup object to Kaspersky for analysis | Informational message | Such an event is logged if the user sent a possibly infected object from Backup to Kaspersky for examination. The event record specifies detailed information about the object and the user account. |
User has sent a message marked as spam to Kaspersky for analysis | Informational message | Such an event is logged if the user attempted to send an object from Backup to Kaspersky for analysis but the application identified the object as spam by mistake. The event record specifies detailed information about the object and the user account. |
User has attempted to save a Backup object to disk | Informational message | Such an event is logged if the user requested to save an object from Backup to disk. The event record specifies detailed information about the object and the user account. |
User has removed an object from Backup | Informational message | Such an event is logged if an object was deleted from Backup. The event record specifies detailed information about the object and the user account, if the object was deleted by a user. The application deletes an object according to the Backup settings. |
By default, events related to Backup are not stored in the Kaspersky Security Center Event Log. You can change this setting in the Kaspersky Security Center Console.
