Event log

Various events occur during the operation of Kaspersky Secure Mail Gateway. These events reflect changes in the state of the application and the results of message processing rules. To let the administrator independently analyze mistakes in application settings or monitor the operation of message processing rules, and to enable effective technical support by Kaspersky experts, Kaspersky Secure Mail Gateway logs information about all such events in the event log.

The event log is stored on application nodes. Records in the event log are automatically rotated when the maximum allowed file size or the maximum allowed storage duration is reached.

Viewing the event log

To view the Kaspersky Secure Mail Gateway event log:

1. In the main window of the application web interface, open the management console tree and select the Events section.
2. Select one of the following tabs depending on the type of events that you want to view:
   • Mail traffic.
   • System.

   Event information is displayed as a table.

   Columns of the table of email traffic processing events display the following information:

   • Date and time is the date and time when the event occurred.
   • Sender email is the email address of the message sender.
   • Sender IP is the IP address of the host that sent the message.
   • Recipient email is the email address of the message recipient.
   • Subject is the message subject.
   • Rule name is the name of the rule which caused the message to be processed.

     You can view rule details by clicking the link with the rule name.

   • Action is the action that was performed on the message.
   • Application message ID is the unique ID that the program assigns to the message.
   • SMTP message ID is the ID assigned to the message at the mail server.
   • Node is the IP address or port of the node where the message was processed.

   Columns of the system event table display the following information:

   • Date and time is the date and time when the event occurred.
   • Node is the IP address or port of the node where the message was processed.
   • Event type is the type of the event.
   • User is the user name of the node where the event occurred.
   • Result is the result of processing the event.
   • Details is the name of the detecting technology that logged the event.
3. You can sort events in the columns. To do so, click the header of the column in the table:
   • Events in Sender email, Recipient email, Subject, Rule name, Action, Event type, User, Result, Details columns are sorted alphabetically: A to Z and Z to A.

     By default, event records are displayed in alphabetic order, A to Z.

   • Events in Date and time and Node columns are sorted in ascending and descending order.

     By default, event records are displayed in ascending order.

The table of events is displayed in accordance with sorting criteria.

By default, the table displays all columns. To customize how the table is displayed, open the Customize table window by clicking the button.

Configuring event table display

To configure the display of the event table:

1. In the main window of the application web interface, open the management console tree and select the Events section.
2. Select one of the following tabs depending on the type of events that you want to view:
   • Mail traffic.
   • System.

   Event information is displayed as a table.

3. Click .

   This opens the Customize table window.

4. If you want to turn the display of a table column on or off:
   • If you want to display a column, select the check box next to the setting that you want to see in the table. You can select multiple settings.
   • If you want to hide a column, clear the check box next to the setting that you do not want to see in the table. You can select multiple settings.

     At least one check box must be selected.

5. If you want to change the order of columns in the table:
   1. Select the row with the relevant setting.
   2. In the right part of the row, press and hold the button and drag the row up or down.
   3. In the lower part of the window, click OK.
6. Close the table display configuration window.

The display of the event table is configured.

Filtering email traffic processing events

You can filter events in the event log by one or more criteria.

To filter email traffic processing events in the event log:

1. In the main window of the program web interface, open the management console tree and select the Events section.
2. Select the Mail traffic tab.

   Event information is displayed as a table.

3. Click Filters.

   This opens the add filter window.

4. Click Add filter.
5. In the fields that appear, configure the filtering criterion that you want. To do so, populate the filter fields in accordance with the following table.

   a. Select one of the following criteria:	b. Select one of the following logical operators:	c. Enter the following value:
   Date and time	from before	Message processing period.
   Sender email	contains not contains equal not equal	Text for searching sender email addresses. You can enter an email address (for example: example-email@example.com), domain name (for example: example.com) or several symbols from the email address (for example: exa).
   Recipient email	contains not contains equal not equal	Text for searching recipient email addresses.
   Subject	contains not contains	Message header search text
   Rule name	contains not contains equal not equal	Name of the rule that was applied when processing the message.
   Action	equal not equal	Action that was performed on the message.
   Sender IP	equal not equal	Search text for the IP address from which the message was sent. You can enter the address in IPv4 or IPv6 format.
   Application message ID	equal not equal	Unique identifier assigned to the message by the program.
   SMTP message ID	contains not contains equal not equal	Message ID on the mail server. This ID can be used for finding an event when responding to a user request, if you have configured an ID to be added to notifications about rejected messages.
   Node	equal not equal	Cluster node that processed the message.
   Scan statuses In the drop-down list on the right, select one of the following detection technologies: Anti-Phishing. Anti-Spam. Anti-Virus. Content Filtering. Mail Sender Authentication. Links scanning. KATA (displayed only when KATA integration is configured).	contains not contains	Click the Select statuses field. In the drop-down list, select the check boxes next to the statuses that you want to use to filter events. Statuses can be combined with the logical "OR" operator. The set of displayed statuses depends on the selected technology.

   You can enter multiple filtering criteria. To add another criterion, click Add filter.

6. Click Search.
7. Close the add filter window.

The table of events is displayed in accordance with filtering criteria.

The table displays information about the last 5000 events. If more than 5000 events match the filtering criteria, consider refining the search criteria.

Filtering system events

Information about system events is logged in the event log of the node where the events take place. When the node is removed from the cluster or access is lost to the node, the event log becomes unavailable.

You can filter events in the event log by one or more criteria.

To filter system events in the event log:

1. In the main window of the program web interface, open the management console tree and select the Events section.
2. Select the System tab.

   Event information is displayed as a table.

3. Click Filters.

   This opens the add filter window.

4. Click Add filter.
5. In the fields that appear, configure the filtering criterion that you want. To do so, populate the filter fields in accordance with the following table.

   a. Select one of the following criteria:	b. Select one of the following logical operators:	c. Enter the following value:
   Date and time	from before	Time period when the event occurred.
   Node	equal not equal.	IP address and port of the node on which the event occurred.
   Event type	equal not equal.	Select one of the following event types: LDAP synchronization; Audit; Database update; Settings export; Settings import.
   User	contains not contains equal not equal.	Name of the user in LDAP under whose account the event occurred. Actions that the program performs automatically are recorded in the event log under the "kluser" account.
   Result.	equal not equal.	Select one of the following options: Success; Fail.

You can enter multiple filtering criteria. To add another criterion, click Add filter.

1. Click Search.
2. Close the add filter window.

The table of events is displayed in accordance with filtering criteria.

The table displays information about the last 5000 events. If more than 5000 events match the filtering criteria, consider refining the search criteria.

Viewing information about email traffic processing events

Click the link in the upper part of the window to go to the Backup section and view the information about messages in Backup related to this event.

To view information about an email traffic processing event:

1. In the main window of the application web interface, open the management console tree and select the Events section.
2. Select the Mail traffic tab.

   Email traffic processing event information is displayed as a table.

3. Select the event for which you want to view information.

   This opens a window containing information about the event.

The information window for an email traffic processing event contains the following fields:

• Date and time is the date and time when the event occurred.
• Node is the IP address or port of the node where the message was processed.
• Sender email is the IP address of the message sender. The address is taken from the SMTP session (value of the MAIL FROM command).
• To is the address of the message recipient. Contains addresses from the SMTP session (values of the RCPT TO command) that occur in the To MIME header.
• CC is the address of the recipient of a copy of the message. Contains addresses from the SMTP session (values of the RCPT TO command) that occur in the Cc MIME header, but not in the To MIME header.
• BCC is the address of the recipient of a blind copy of the message. Contains addresses from the SMTP session (values of the RCPT TO command) that do not occur in either the To MIME header or the Cc MIME header.
• Subject is the message subject.
• Rule name is the name of the rule which caused the message to be processed.

  You can view rule details by clicking the link with the rule name.

• Action is the action that was performed on the message.
• The Scan result settings group displays statuses assigned to the message by each scanning module.
  • Anti-Virus:
    • Not scanned.
    • Not detected.
    • Encrypted.
    • Error.
    • Disinfected.
    • Infected.
  • Anti-Spam:
    • Not scanned.
    • Not detected.
    • Trusted.
    • Formal message.
    • Error.
    • Probable spam.
    • Denylist.
    • Spam.
    • Massmail.
  • Anti-Phishing:
    • Not scanned.
    • Not detected.
    • Error.
    • Phishing.
  • Links scanning:
    • Not scanned.
    • Not detected.
    • Error.
    • Detected.
    • Bases error.
  • Content Filtering:
    • Not scanned.
    • Not detected.
    • Size exceeded.
    • Banned file name.
    • Banned file format.
    • Error.
  • KATA:
    • Detected.
    • Error.
    • Not detected.
    • Not scanned.
    • Skipped.

    This is displayed only when KATA integration is configured.

• Attachment information:
  • File name.
  • File size (bytes).
  • File formats.

    The information about the file format is displayed if the format of the attached file is specified in a Content Filtering processing rule.

• Attachment scan result.

System event types

The following table describes system events that are recorded in the event log (Events → System section).

Description of system event types

Page top

Exporting the event log

You can export the event table to a CSV file.

To export the event table:

1. In the main window of the application web interface, open the management console tree and select the Events section.
2. Select one of the following tabs depending on the type of events that you want to view:
   • Mail traffic.
   • System.

   Event information is displayed as a table.

3. Click Export.
4. If the browser settings enable the capability to choose the path for saving downloading files, the selection window will open. Specify the path where you want to save the file and click Save.

The file begins downloading. The event table is exported into a CSV file.

If you have filtered the events in the table, configured sorting for events in columns or column display in the table, all settings are saved when you export the table to a file.

Configuring the event log

When configuring the event storage duration and selecting event types to be logged, you must take into account the amount of free disk space on processing servers.

Settings for event logging in the event log do not affect Syslog event logging settings.

To configure the logging of events in the event log:

1. In the program web interface window, select the Settings → Logs and events → Events section.
2. In the Mail traffic settings group:
   1. In the Log mail processing events drop-down list, select traffic processing events that you want to be logged in the event log. You can select one of the following options:
      • All
      • Delete message/Delete attachment/Reject action applied
      • Nothing

      By default, the All option is selected.

      New settings are applied only to events logged in the event log after the settings are applied. New settings do not apply to events that were logged earlier.

      Settings are applied on all cluster nodes.

   2. In the Maximum event log size (MB) field, enter the size of the event log that, when reached, will cause earlier records to be deleted.

      Default value: 1024 MB. Possible values: integers from 100 to 2147483647.

   3. In the Logging period (days) field, enter the number of days during which the program must store network traffic processing events on the server.

      Default value: 3 days. Possible values: integers from 1 to 8589934592.

3. In the System group of settings, in the Maximum number of events field, enter the number of Kaspersky Secure Mail Gateway events that, if exceeded, will cause older records to be deleted.

   The default value is 100,000. Possible values: integers from 1 to 2147483647.

Event logging in the event log is configured.