Viewing events

Support

Support for business applications

Kaspersky Endpoint Security 11 for Linux

Events and reports

Viewing events

January 19, 2023

ID 201952

You can view events in the following ways:

In the application event log. The event log is located in the directory specified by the EventsStoragePath general application setting. By default, the application saves information about events to the following database directory /var/opt/kaspersky/kesl/private/storage/events.db. Root privileges are required to access the database of events.
In the general application settings, if the UseSysLog setting has the value Yes, then event data is also written to syslog. Root privileges are required to access syslog.
Enable output of current application events using the kesl-control -W command.
If Kaspersky Endpoint Security is managed by Kaspersky Security Center, information about events may be transmitted to the Kaspersky Security Center Administration Server. If three events of the same type, from the same initiator, with the same name are created within one minute, then the application switches to event aggregation mode and sends one aggregated event that describes these recurring events to Kaspersky Security Center every 10 minutes. Kaspersky Endpoint Security administrator can configure the execution of a script upon receiving events from the application or upon receiving notifications about events by e-mail. For more information about events, refer to Kaspersky Security Center documentation.
If the graphical user interface (GUI) is enabled, information about events can be viewed in reports and in application pop-up windows.

To get information about all events in the event log, run the following command:

kesl-control -E --query|less

By default, the application stores up to 500,000 events. You can use the less command to navigate through the list of displayed events.

You can view specific events using the application's event store query system.

When creating a query, specify the required field, select a logical expression, and specify the required value for it. The value must be specified in single quotation marks ('), and the whole query must be specified in double quotation marks ("):

--query "<field> <logical expression> '<value>' [and <field> <logical expression> '<value>' *]"

The date field should be specified in the UNIX time stamp system (the number of seconds that have elapsed since 00:00:00 (UTC), 1 January 1970).

ThreatDetected example:

EventType=ThreatDetected

EventId=2671

Initiator=Product

Date=2020-04-30 17:17:17

DangerLevel=Critical

FileName=/root/eicar.com.txt

ObjectName=File

TaskName=File_Monitoring

RuntimeTaskId=2

TaskId=1

DetectName=EICAR-Test-File

TaskType=OAS

FileOwner=root

FileOwnerId=0

DetectCertainty=Sure

DetectType=Virware

DetectSource=Local

ObjectId=1

AccessUser=root

AccessUserId=0

Query examples:

Get all events by the EventType field:

kesl-control -E --query "EventType == 'ThreatDetected'"

Display all events with the specified values of the EventType and FileName fields:

kesl-control -E --query "EventType == 'ThreatDetected' and FileName like '%eicar%'"

Display all events generated by the File_Threat_Protection task after the specified time:

kesl-control -E --query "TaskName == 'File_Threat_Protection' and Date > '1588253494'"

Kaspersky Endpoint Security for Linux: High protection without performance compromising

Detects and blocks advanced threats. Buy as part of Endpoint Security for Business Advanced.

Kaspersky Premium Support (MSA): High‑priority incident processing

Telephone and web ticket support. Fast response, monitoring and health check. Submit a request and activate the contract (MSA).

Did you find this article helpful?

What can we do better?

Thank you for your feedback! You're helping us improve.