Configuring logging in HTTP mode

This section explains how to manually configure logging in HTTP mode without using Kaspersky Scan Engine GUI.

See also detailed instructions on enabling logging.

Configuring logging

To configure logging, change the parameters in the httpdkavlog.ini logging configuration file (hereinafter referred to as the logging configuration file) located in the %service_dir%/bin directory. The configuration file consists of several sections.

DebugLogging section

• LogLevel—Specifies the logging level.

  Possible values:

  • 0

    Disables logging. This is the default value.

  • 1

    Enables full logging mode. Use this mode for debugging purposes.

    If you enable full logging mode, consider that the log messages will contain sensitive data.

    In HTTP mode, Kaspersky Scan Engine does not automatically remove log files from previous initializations. If necessary, you can remove these log files manually.

• LogFolder—Specifies the path to a directory where log files are stored.

  The path can be absolute or relative. A relative path is calculated relative to the directory that contains the kavhttpd binary file.

SyslogLogging section

The settings below are available only for Linux operating systems.

• SyslogEnabled—Specifies whether the Kaspersky Scan Engine sends syslog messages.

  Possible values:

  • 0

    Disables sending of syslog messages.

  • 1

    Enables sending of syslog messages.

    If you enable sending syslog messages, consider that these messages will contain sensitive data, such as personal data as defined by GDPR, configuration data of the product, and licensing information.

SyslogDestination section

This element contains a group of settings that specify the format of the logs. If it is necessary to write logs into different locations, you can specify several SyslogDestination elements. In this case, the values of the SyslogTarget subelements must vary.

If SyslogEnabled (see above) has the value of 1, you must include at least one SyslogDestination element.

• SyslogFormat—Specifies the format of syslog messages.

  Possible values:

  • cef—Specifies the cef format of syslog messages.
  • raw—Specifies the raw format of syslog messages. The raw value is used when the value specified in this element is not cef or raw, or no value is specified in this element, or if the logging configuration file does not contain the SyslogFormat parameter.
• SyslogTarget—Specifies the destination address for syslog messages.

  Possible values:

  • %PROTOCOL%%IP%:%PORT%, where:
    • %PROTOCOL% is a network protocol (use tcp:// or udp:// for this value).
    • %IP% is an IPv4 address that receives syslog messages.
    • %PORT% is a port that receives syslog messages.

    If you do not specify a protocol as described above, Kaspersky Scan Engine will use the UDP protocol.

  • localhost—Indicates that syslog messages are redirected to syslogd.
  • Path to a directory where log files with syslog messages are stored. The path must begin with /var/log/kaspersky.

    The directory contains the httpd_kav_syslog.log file. Log files with syslog messages created by previous sessions are not removed. If the directory contains an old file, Kaspersky Scan Engine writes new information to this file without deleting the old data.

• SyslogEvents—Specifies events to be logged.

  It is allowed to specify multiple SyslogEvents values. Each of these values sets the type of event that will be logged into the location specified in the SyslogTarget attribute. If you specify several values for one destination, separate them with the semicolon symbol (;).

  Possible values:

  • Audit—Specifies system audit events.
  • Init—Specifies service initialization events.
  • Deinit—Specifies service deinitialization events and watchdog events.
  • Update—Specifies antivirus database update and reload events.
  • License—Specifies license-related events.
  • Engine—Specifies antivirus engine events. These events may be published frequently.
  • ScanResultClean—Specifies scan completion events when scanned object considered clean.
  • ScanResultDetect—Specifies scan completion events when threat was detected.
  • ScanResultOther—Specifies scan completion events when object was not scanned.

  If the SyslogDestination element does not contain the SyslogEvents child element, all the HTTP events are logged.

  If the SyslogDestination settings are incorrect, logging to the specified destination will be disabled.

  When syslog logging is enabled, system audit is enabled as well. If none of the SyslogEvents elements contains the Audit event, system audit settings are set as follows: SyslogFormat is set to raw, SyslogTarget is set to localhost, and SyslogEvents is set to audit.

Kaspersky Scan Engine can write debug logs and send syslog messages at the same time or separately.

Structure of the logging configuration file

Following is an example of a logging configuration file: