Viewing the operating system audit log

Kaspersky IoT Secure Gateway 1000 saves events related to system security to the operating system audit log. These events are created by system entities. Each event contains the identifier (user or component name) of the subject that registered the event.

When a critical event occurs, an exclamation mark alarm icon is displayed next to the Audit menu section on the left. In that event, contact the employee responsible for information security in your organization.

To view the operating system audit log:

1. In the menu in the left part of the web interface page, select the Audit section.

   This opens the Audit page, which contains a table of all registered operating system audit events. Events in the table are refreshed every 30 seconds and displayed in reverse chronological order (new events first). The table can display a maximum of 1024 of the last registered events. If the number of events is exceeded, the log is overwritten starting with the oldest entries.

   If the audit event language in the table does not match the system language, select the relevant web interface language in the menu and refresh the page to apply the changes.

   The following information is displayed for each log entry:

   • Date and time – date and time when the event was registered.
   • Event name: name of the registered event.
   • Event text: detailed information about the registered event.
   • Subject ID: source of the registered event:
     • Administrator: the event was triggered by an administrator action in the system.
     • User: the event was triggered by a user action in the system.
     • System: the event was triggered by a system action. For each event, the log displays the name of the subsystem where the event occurred.
   • Severity: the severity level of the registered event.

     Events are categorized by the following severity levels:

     •  – Informational. Informational events contain reference information. These events usually do not require an immediate response.
     •  – Warning. Warning events contain information that requires attention. These events may require a response.
     •  – Critical. Critical events contain information that may have a critical impact on system operation. These events require an immediate response.

     When a critical event occurs, an exclamation mark alarm icon is displayed next to the Audit menu section on the left. In the table, audit events with a critical level of severity are highlighted in red.

2. To view events for a specific date or period, click in the Date field, select a specific date or start and end dates for the period, and click Apply.

   The table will display events for the selected date or period.

3. To view events that have a specific severity, select the relevant severity level from the Severity drop-down list in the upper part of the table and click Apply. You can select one or multiple values. Events with all severity levels are displayed by default.

   The table will display events with the selected severity level.

4. To view events that came from specific sources, select the relevant subject from the Subject ID drop-down list in the upper part of the table and click Apply. You can select one or multiple values. All registered events are displayed by default.

   The table will display events from the selected sources.

5. If you need to clear all the set filters for displaying events in the table, click Reset all.

   All registered events will be displayed in the table.

6. To display older events, click Load more under the table.

   The Load more button is always available, even if there are no earlier events.