Managing the activity log

Some user actions in the program web interface can cause errors in the operation of Kaspersky Anti Targeted Attack Platform. You can enable logging of user action information in the program web interface and if necessary, view the information by downloading log files.

Enabling and disabling the recording of information in the activity log

To enable or disable the logging of information about user actions in the Kaspersky Anti Targeted Attack Platform web interface to the activity log:

1. Select the Reports section, Activity log subsection in the window of the program web interface.
2. Do one of the following:
   • Set the Activity log toggle switch to the Enabled position if you want to enable the logging of information about user actions in the program web interface.
   • Set the Activity log toggle switch to the Disabled position if you want to disable the logging of information about user actions in the program web interface.

     This function is enabled by default.

Information is logged for 30 days in the user_actions.log file. After 30 days, the user_actions.log file is saved on the Central Node server in the /var/log/kaspersky/apt-base/ directory with the name user_actions.log<month>. A new file named user_actions.log is created to record information for the current month. Each file is retained for 90 days and then deleted.

To view activity log files, you must download them.

You can configure the logging of information about user actions in the program web interface to a remote log. The remote log is saved on the server on which a SIEM system is installed. The settings of integration with the SIEM system must be configured to write to the remote log.

In distributed solution mode, information about user actions in the application web interface is recorded in the log of the same server for which the users are managing the web interface. Information about the actions of PCN server users that affect the settings of SCN servers is recorded in the PCN server log.

Users with the Security auditor role can only view the settings for logging information to the activity log.

Downloading the activity log file

To download the activity log file:

1. Select the Reports section, Activity log subsection in the window of the program web interface.
2. Click Download.

Log files are saved on your local computer in your browser's downloads folder. The files are downloaded as a ZIP archive.

In distributed solution mode, you can download log files only for the server for which you are managing the web interface.

Content and properties of CEF messages about user activity in the web interface

The header of each message contains the following information:

• Format version.

  Current version number: 0. Current field value: CEF:0.

• Vendor.

  Current field value: AO Kaspersky Lab.

• Program name.

  Current field value: Kaspersky Anti Targeted Attack Platform.

• Program version.

  The current value of the field is 5.0.0-5201.

• Event type.

  See the table below.

• Event name.

  See the table below.

• Event importance.

  Current field value: Low.

  Example: CEF:0|AO Kaspersky Lab|Kaspersky Anti Targeted Attack Platform|5.0.0-5201|tasks|Managing tasks|Low|

All fields of the CEF message have the "<key>=<value>" format. The keys, as well as their values contained in a message, are presented in the table below.

Event information in CEF messages

Event type	Event name and description	Key and description of its value
sensors	Managing the Sensor component Connecting the Sensor component to the Central Node server, modifying component settings.	dvs = <IP address of the server>. eventId = <ID of the event>. rt = <event date and time>. src = <IP address of the user>. user = <user name>. cs1 = <event type>.
sb	Configuring integration with the Sandbox component Connecting the Sandbox component to the Central Node server.	dvs = <IP address of the server>. eventId = <ID of the event>. rt = <event date and time>. src = <IP address of the user>. user = <user name>. cs1 = <event type>.
ex_integration	Configuring integration with external systems Configuring integration with external systems.	dvs = <IP address of the server>. eventId = <ID of the event>. rt = <event date and time>. src = <IP address of the user>. user = <user name>. cs1 = <event type>.
ksn_kpsn_mdr	Participation in KSN, KPSN and MDR Configuring participation in Kaspersky Security Network, enabling or disabling the usage of Kaspersky Private Security Network, and configuring integration with Kaspersky Managed Detection and Response.	dvs = <IP address of the server>. eventId = <ID of the event>. rt = <event date and time>. src = <IP address of the user>. user = <user name>. cs1 = <event type>.
yara	Managing YARA rules Operations with YARA rules.	dvs = <IP address of the server>. eventId = <ID of the event>. rt = <event date and time>. src = <IP address of the user>. user = <user name>. cs1 = <event type>. device external ID = <ID of the host in distributed solution mode>. cs1label = <name of the uploaded file>.
ioc	Managing indicator of compromise Operations with IOC rules.	dvs = <IP address of the server>. eventId = <ID of the event>. rt = <event date and time>. src = <IP address of the user>. user = <user name>. cs1 = <event type>. deviceExternalID = <identifier of the host in distributed solution mode>.
ids	Managing IDS rules Operations with IDS rules.	dvs = <IP address of the server>. eventId = <ID of the event>. rt = <event date and time>. src = <IP address of the user>. user = <user name>. cs1 = <event type>. deviceExternalID = <identifier of the host in distributed solution mode>.
taa	Managing TAA rules Operations with TAA (IOA) rules.	dvs = <IP address of the server>. eventId = <ID of the event>. rt = <event date and time>. src = <IP address of the user>. user = <user name>. cs1 = <event type>.
prevention	Managing prevention rules Operations with prevention rules.	dvs = <IP address of the server>. eventId = <ID of the event>. rt = <event date and time>. src = <IP address of the user>. user = <user name>. cs1 = <event type>.
exclusions	Managing scan exclusions Operations with scan exclusion rules.	dvs = <IP address of the server>. eventId = <ID of the event>. rt = <event date and time>. src = <IP address of the user>. user = <user name>. cs1 = <event type>.
tasks	Managing tasks Operations with tasks.	dvs = <IP address of the server>. eventId = <ID of the event>. rt = <event date and time>. src = <IP address of the user>. user = <user name>. cs1 = <event type>.
network_isolation	Network isolation of Endpoint Agent hosts Network isolation of Endpoint Agent hosts.	dvs = <IP address of the server>. eventId = <ID of the event>. rt = <event date and time>. src = <IP address of the user>. user = <user name>. cs1 = <event type>.
settings	Settings Modifying Central Node server settings.	dvs = <IP address of the server>. eventId = <ID of the event>. rt = <event date and time>. src = <IP address of the user>. user = <user name>. cs1 = <event type>.
settings	Settings The set of virtual machine operating systems is changed to <version of the operating system set>.	dvs = <IP address of the server>. eventId = <ID of the event>. rt = <event date and time>. src = <IP address of the user>. user = <user name>. cs1 = <event type>. cs1label = <name of the server where the settings were updated>.
mt	Managing CN, PCN and SCN servers Modifying the settings of Primary Central Node and Secondary Central Node servers in distributed solution Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)). and multitenancy mode Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously. .	dvs = <IP address of the server>. eventId = <ID of the event>. rt = <event date and time>. src = <IP address of the user>. user = <user name>. cs1 = <event type>.
user_account	Managing user accounts Actions on user accounts.	dvs = <IP address of the server>. eventId = <ID of the event>. rt = <event date and time>. src = <IP address of the user>. user = <user name>. cs1 = <event type>.
notifications	Sending notifications Configuring email notifications.	dvs = <IP address of the server>. eventId = <ID of the event>. rt = <event date and time>. src = <IP address of the user>. user = <user name>. cs1 = <event type>.
license	License Managing the license key.	dvs = <IP address of the server>. eventId = <ID of the event>. rt = <event date and time>. src = <IP address of the user>. user = <user name>. cs1 = <event type>.

If an operation is performed on over 30 objects simultaneously, only one entry is logged for this operation. The entry includes the information about the operation and the number of objects on which it was performed.