Kaspersky Security events in Kaspersky Security Center
This section contains accumulated information on application events that are written to the event log of the Kaspersky Security Center Administration Server.
Kaspersky Security Center also lets you export Kaspersky Security events to SIEM systems via the Syslog protocol.
For more detailed information about working with application events and policies using the Kaspersky Security Center Administration Server, please refer to the Kaspersky Security Center Administrator's Guide.
Kaspersky Security events in Kaspersky Security Center
Event |
Event importance level |
Description |
Default time period for storing event information in the Kaspersky Security Center log. |
Active key is not detected |
Critical |
An active key is missing. |
30 days |
On-access scan is enabled |
Informational message |
The application detected the activation of the Anti-Virus component. The event record contains the component name. |
30 days |
On-access scan is disabled |
Warning |
The application detected the deactivation of the Anti-Virus component. The event record contains the component name. |
30 days |
Anti-Virus databases are up to date |
Informational message |
Application databases have been updated to the latest version. The event record contains the database release date. |
30 days |
Anti-Virus databases are out of date |
Critical |
Anti-virus databases of the application are outdated by more than one day. The event record contains the database release date. |
30 days |
Limited scan mode enabled |
Critical |
An application component has switched to restricted scan mode. The event record contains the component name and the time it switched to restricted scan mode. |
30 days |
An incident occurred while performing web object content filtering during on-access scan |
Warning |
Unwanted content has been detected in a web object when a web object was being created, edited, or saved on a server. |
30 days |
An incident occurred while performing file content filtering during on-access scan |
Warning |
Content filtering has caused the application to register an incident when a file was accessed. |
30 days |
A web object containing a phishing link was detected during on-access scan |
Warning |
Content filtering has caused the application to detect a phishing link when a web object was being created, edited, or saved on a server. |
30 days |
On-demand scan task has been started |
Informational message |
The on-demand scan task has been run manually or automatically (by schedule). The event record contains the task name and the launch type. |
30 days |
On-demand scan task has been stopped |
Informational message |
The on-demand scan task has been stopped. The event record contains the task name and the task stop reason. |
30 days |
Content filtering is enabled |
Informational message |
The application detected the activation of the content filtering component. |
30 days |
Content filtering is disabled |
Warning |
The application detected the deactivation of the content filtering component. |
30 days |
DLP Module is enabled |
Informational message |
The application has detected the activation of the DLP Module. |
30 days |
DLP Module is disabled |
Warning |
The application has detected the deactivation of the DLP Module. |
30 days |
Kaspersky Lab categories updated |
Informational message |
Kaspersky Lab categories have been updated during the application database update. The event record contains the names of categories that have been updated, as well as their brief descriptions. |
Do not store |
Application component error |
Critical |
The application has detected errors in the operation of a component. The event record contains the component name and the error description. |
30 days |
Anti-Virus databases update error is fixed. Anti-Virus databases have been updated successfully |
Informational message |
An Anti-Virus database update error has been fixed and the databases have been successfully updated. The event record contains the database release date. |
30 days |
Database update error |
Critical |
An update of application databases has failed. The event record contains the error description. |
30 days |
Error connecting to the SQL Server. Switched to inactive mode |
Critical |
The application has switched to inactive mode. File scanning is stopped if there is no connection with the SQL server for more than two hours. The event record contains the database name, the SQL server name, and the error description. |
30 days |
Error connecting to the SQL Server. Switched to cached mode |
Critical |
The application has switched to active mode with the settings received before loss of connection with the SQL server. The event record contains the database name, the SQL server name, and the error description. |
30 days |
An action was performed on the Security Server key |
Informational message |
The key status, license expiration date, number of users, or license type have changed. The event record contains the key, the license type, the license expiration date, and the number of license users. |
30 days |
User restored an object from Backup |
Informational message |
The user has restored an object from Backup. The event record contains detailed information about the object and the user account. |
Do not store |
User has changed application settings |
Informational message |
The user has changed the application settings. The event record contains the account of the user that changed the settings as well as detailed information about the application settings that have been changed. |
30 days |
User has performed an action on the Security Server key |
Informational message |
The user has performed an operation with a Security Server key. The event record contains the user account. |
30 days |
User has attempted to run on-demand scan |
Informational message |
The user has attempted to run the on-demand scan task. The event record contains the user account. |
30 days |
User has attempted to stop on-demand scan |
Informational message |
The user has attempted to stop the on-demand scan task. The event record contains the task name and the task stop reason. |
30 days |
User attempted to archive incidents |
Warning |
The security officer has attempted to archive incidents registered by the DLP Module. |
Do not store |
User has attempted to save a Backup object to disk |
Informational message |
The user has saved an object from Backup to disk. The event record contains detailed information about the object and the user account. |
Do not store |
User attempted to save an object attached to the incident to disk |
Warning |
The security officer has attempted to save an incident registered by the DLP Module to disk. |
Do not store |
User has removed an object from Backup |
Informational message |
The user has removed an object from Backup. The event record contains detailed information about the object and the user account. |
Do not store |
An incident has occurred during on-access Anti-Virus scan |
Warning |
The application has registered an incident during scanning when a file was being saved. |
30 days |
An infected file was detected and disinfected during on-access virus scan |
Informational message |
The application has disinfected an infected file during scanning when the file was being saved. |
30 days |
Connection to the SQL Server is restored |
Informational message |
Access to the SQL server containing the application database has been restored. |
30 days |
New incident created during DLP Module operation |
Warning |
A file that violates the security policy has been detected. Such an event is written to the Kaspersky Security Center log if the Log events to Windows Event Log and Kaspersky Security Center Event Log check box is selected in the policy or in the Search task. |
Do not store |
License expired |
Critical |
The license has expired. The event record contains the key and the license expiration date. |
30 days |
License is about to expire |
Warning |
The license is about to expire. The event record contains the key, the license expiration date, and the number of days left until this date. |
30 days |