Contents
Events of Open Single Management Platform components
Each Open Single Management Platform component has its own set of event types. This section lists types of events that occur in Kaspersky Security Center Administration Server and Network Agent. Types of events that occur in Kaspersky applications are not listed in this section.
For each event that can be generated by an application, you can specify notification settings and storage settings on the Event configuration tab in the application policy. For Administration Server, you can additionally view and configure the event list in the Administration Server properties. If you want to configure notification settings for all the events at once, configure general notification settings in the Administration Server properties.
Data structure of event type description
For each event type, its display name, identifier (ID), alphabetic code, description, and the default storage term are provided.
- Event type display name. This text is displayed in Open Single Management Platform when you configure events and when they occur.
- Event type ID. This numerical code is used when you process events by using third-party tools for event analysis.
- Event type (alphabetic code). This code is used when you browse and process events by using public views that are provided in the Open Single Management Platform database and when events are exported to a SIEM system.
- Description. This text contains the situations when an event occurs and what you can do in such a case.
- Default storage term. This is the number of days during which the event is stored in the Administration Server database and is displayed in the list of events on Administration Server. After this period elapses, the event is deleted. If the event storage term value is 0, such events are detected but are not displayed in the list of events on Administration Server. If you configured to save such events to the operating system event log, you can find them there.
You can change the storage term for events: Setting the storage term for an event
Administration Server events
This section contains information about the events related to the Administration Server.
Administration Server critical events
The table below shows the events of Kaspersky Security Center Administration Server that have the Critical importance level.
For each event that can be generated by an application, you can specify notification settings and storage settings on the Event configuration tab in the application policy. For Administration Server, you can additionally view and configure the event list in the Administration Server properties. If you want to configure notification settings for all the events at once, configure general notification settings in the Administration Server properties.
Administration Server critical events
Event type display name |
Event type ID |
Event type |
Description |
Default storage term |
|---|---|---|---|---|
License limit has been exceeded |
4099 |
KLSRV_EV_LICENSE_CHECK_MORE_110 |
Once a day Open Single Management Platform checks whether a licensing limit is exceeded. Events of this type occur when Administration Server detects that some licensing limits are exceeded by Kaspersky applications installed on client devices and if the number of currently used licensing units covered by a single license exceeds 110% of the total number of units covered by the license. Even when this event occurs, client devices are protected. You can respond to the event in the following ways:
Open Single Management Platform determines the rules to generate events when a licensing limit is exceeded. |
180 days |
Device has become unmanaged |
4111 |
KLSRV_HOST_OUT_CONTROL |
Events of this type occur if a managed device is visible on the network but has not connected to Administration Server for a specific period. Find out what prevents the proper functioning of Network Agent on the device. Possible causes include network issues and removal of Network Agent from the device. |
180 days |
Device status is Critical |
4113 |
KLSRV_HOST_STATUS_CRITICAL |
Events of this type occur when a managed device is assigned the Critical status. You can configure the conditions under which the device status is changed to Critical. |
180 days |
The key file has been added to the denylist |
4124 |
KLSRV_LICENSE_BLACKLISTED |
Events of this type occur when Kaspersky has added the activation code or key file that you use to the denylist. Contact Technical Support for more details. |
180 days |
License expires soon |
4129 |
KLSRV_EV_LICENSE_SRV_EXPIRE_SOON |
Events of this type occur when the commercial license expiration date is approaching. Once a day Open Single Management Platform checks whether a license expiration date is approaching. Events of this type are published 30 days, 15 days, 5 days, and 1 day before the license expiration date. This number of days cannot be changed. If the Administration Server is turned off on the specified day before the license expiration date, the event will not be published until the next day. When the commercial license expires, Open Single Management Platform provides only basic functionality. You can respond to the event in the following ways:
|
180 days |
Certificate has expired |
4132 |
KLSRV_CERTIFICATE_EXPIRED |
Events of this type occur when the Administration Server certificate for Mobile Device Management expires. You need to update the expired certificate. |
180 days |
Administration Server certificate has expired. |
6129 |
KLSRV_EV_SRV_CERT_EXPIRED_DN |
Events of this type occur when the Administration Server certificate expires. You need to update the expired certificate. |
180 days |
Audit: Export to SIEM failed |
5130 |
KLAUD_EV_SIEM_EXPORT_ERROR |
Events of this type occur when exporting events to the SIEM system failed due to a connection error with the SIEM system. |
180 days |
Limited functionality mode |
4130 |
KLSRV_EV_LICENSE_SRV_LIMITED_MODE |
Events of this type occur when Open Single Management Platform starts to operate with basic functionality, without Vulnerability and patch management and without Mobile Device Management features. Following are causes of, and appropriate responses to, the event:
|
180 days |
Updates for Kaspersky application modules have been revoked |
4142 |
KLSRV_SEAMLESS_UPDATE_REVOKED |
Events of this type occur if seamless updates have been revoked (Revoked status is displayed for these updates) by Kaspersky technical specialists; for example, they must be updated to a newer version. The event concerns Open Single Management Platform patches and does not concern modules of managed Kaspersky applications. The event provides the reason that the seamless updates are not installed. |
180 days |
Virus outbreak |
|
GNRL_EV_VIRUS_OUTBREAK |
Events of this type occur when the number of malicious objects detected on several managed devices exceeds the threshold within a short period. You can respond to the event in the following ways:
|
|
Administration Server functional failure events
The table below shows the events of Kaspersky Security Center Administration Server that have the Functional failure importance level.
For each event that can be generated by an application, you can specify notification settings and storage settings on the Event configuration tab in the application policy. For Administration Server, you can additionally view and configure the event list in the Administration Server properties. If you want to configure notification settings for all the events at once, configure general notification settings in the Administration Server properties.
Administration Server functional failure events
Event type display name |
Event type ID |
Event type |
Description |
Default storage term |
|---|---|---|---|---|
Runtime error
|
4125
|
KLSRV_RUNTIME_ERROR
|
Events of this type occur because of unknown issues. Most often these are DBMS issues, network issues, and other software and hardware issues. Details of the event can be found in the event description.
|
180 days
|
Failed to copy the updates to the specified folder |
4123 |
KLSRV_UPD_REPL_FAIL |
Events of this type occur when software updates are copied to an additional shared folder(s). You can respond to the event in the following ways:
|
180 days |
No free disk space |
4107 |
KLSRV_DISK_FULL |
Events of this type occur when the hard drive of the device on which Administration Server is installed runs out of free space. Free up disk space on the device. |
180 days |
Shared folder is not available |
4108 |
KLSRV_SHARED_FOLDER_UNAVAILABLE |
Events of this type occur if the shared folder of Administration Server is not available. You can respond to the event in the following ways:
|
180 days |
The Administration Server database is unavailable |
4109 |
KLSRV_DATABASE_UNAVAILABLE |
Events of this type occur if the Administration Server database becomes unavailable. You can respond to the event in the following ways:
|
180 days |
No free space in the Administration Server database |
4110 |
KLSRV_DATABASE_FULL |
Events of this type occur when there is no free space in the Administration Server database. Administration Server does not function when its database has reached its capacity and when further recording to the database is not possible. Following are the causes of this event, depending on the DBMS that you use, and appropriate responses to the event:
Review the information on DBMS selection. |
180 days |
Failed to poll the cloud segment |
4143 |
KLSRV_KLCLOUD_SCAN_ERROR |
Events of this type occur when Administration Server fails to poll a network segment in a cloud environment. Read the details in the event description and respond accordingly. |
Not stored |
Administration Server warning events
The table below shows the events of Kaspersky Security Center Administration Server that have the Warning importance level.
For each event that can be generated by an application, you can specify notification settings and storage settings on the Event configuration tab in the application policy. For Administration Server, you can additionally view and configure the event list in the Administration Server properties. If you want to configure notification settings for all the events at once, configure general notification settings in the Administration Server properties.
Administration Server warning events
Event type display name |
Event type ID |
Event type |
Description |
Default storage term |
|---|---|---|---|---|
Frequent events have been detected |
|
KLSRV_EVENT_SPAM_EVENTS_DETECTED |
Events of this type occur when Administration Server detects a frequent event on a managed device. Refer to the following section for details: Blocking frequent events. |
90 days |
License limit has been exceeded |
4098 |
KLSRV_EV_LICENSE_CHECK_100_110 |
Once a day Open Single Management Platform checks whether a licensing limit is exceeded. Events of this type occur when Administration Server detects that some licensing limits are exceeded by Kaspersky applications installed on client devices and if the number of currently used licensing units covered by a single license constitute 100% to 110% of the total number of units covered by the license. Even when this event occurs, client devices are protected. You can respond to the event in the following ways:
Open Single Management Platform determines the rules to generate events when a licensing limit is exceeded. |
90 days |
Device has remained inactive on the network for a long time |
4103 |
KLSRV_EVENT_HOSTS_NOT_VISIBLE |
Events of this type occur when a managed device shows inactivity for some time. Most often, this happens when a managed device is decommissioned. You can respond to the event in the following ways:
|
90 days |
Conflict of device names |
4102 |
KLSRV_EVENT_HOSTS_CONFLICT |
Events of this type occur when Administration Server considers two or more managed devices as a single device. Most often this happens when a cloned hard drive was used for software deployment on managed devices and without switching the Network Agent to the dedicated disk cloning mode on a reference device. To avoid this issue, switch Network Agent to the disk cloning mode on a reference device before cloning the hard drive of this device. |
90 days |
Device status is Warning
|
4114
|
KLSRV_HOST_STATUS_WARNING
|
Events of this type occur when a managed device is assigned the Warning status. You can configure the conditions under which the device status is changed to Warning.
|
90 days
|
Certificate has been requested |
4133 |
KLSRV_CERTIFICATE_REQUESTED |
Events of this type occur when a certificate for Mobile Device Management fails to be automatically reissued. Following might be the causes and appropriate responses to the event:
|
90 days |
Certificate has been removed |
4134 |
KLSRV_CERTIFICATE_REMOVED |
Events of this type occur when an administrator removes any type of certificate (General, Mail, VPN) for Mobile Device Management. After removing a certificate, mobile devices connected via this certificate will fail to connect to Administration Server. This event might be helpful when investigating malfunctions associated with the management of mobile devices. |
90 days |
Certificate is expiring |
6128 |
KLSRV_EV_SRV_CERT_EXPIRES_SOON |
Events of this type occur when the Administration Server certificate is expiring in 30 days or sooner, and there is no reserve certificate. |
90 days |
APNs certificate has expired |
4135 |
KLSRV_APN_CERTIFICATE_EXPIRED |
Events of this type occur when an APNs certificate expires. You need to manually renew the APNs certificate and install it on an iOS MDM Server. |
Not stored |
APNs certificate expires soon |
4136 |
KLSRV_APN_CERTIFICATE_EXPIRES_SOON |
Events of this type occur when there are fewer than 14 days left before the APNs certificate expires. When the APNs certificate expires, you need to manually renew the APNs certificate and install it on an iOS MDM Server. We recommend that you schedule the APNs certificate renewal in advance of the expiration date. |
Not stored |
Failed to send the FCM message to the mobile device |
4138 |
KLSRV_GCM_DEVICE_ERROR |
Events of this type occur when Mobile Device Management is configured to use Google Firebase Cloud Messaging (FCM) for connecting to managed mobile devices with an Android operating system and FCM Server fails to handle some of the requests received from Administration Server. It means that some of the managed mobile devices will not receive a push notification. Read the HTTP code in the details of the event description and respond accordingly. For more information on the HTTP codes received from FCM Server and related errors, please refer to the Google Firebase service documentation (see chapter "Downstream message error response codes"). |
90 days |
HTTP error sending the FCM message to the FCM server |
4139 |
KLSRV_GCM_HTTP_ERROR |
Events of this type occur when Mobile Device Management is configured to use Google Firebase Cloud Messaging (FCM) for connecting managed mobile devices with the Android operating system and FCM Server reverts to the Administration Server a request with a HTTP code other than 200 (OK). Following might be the causes and appropriate responses to the event:
|
90 days |
Failed to send the FCM message to the FCM server |
4140 |
KLSRV_GCM_GENERAL_ERROR |
Events of this type occur due to unexpected errors on the Administration Server side when working with the Google Firebase Cloud Messaging HTTP protocol. Read the details in the event description and respond accordingly. If you cannot find the solution to an issue on your own, we recommend that you contact Kaspersky Technical Support. |
90 days |
Little free space on the hard drive |
4105 |
KLSRV_NO_SPACE_ON_VOLUMES |
Events of this type occur when the hard drive of the device on which Administration Server is installed almost runs out of free space. Free up disk space on the device. |
90 days |
No free space in the Administration Server database |
4106 |
KLSRV_NO_SPACE_IN_DATABASE |
Events of this type occur if space in the Administration Server database is too limited. If you do not remedy the situation, soon the Administration Server database will reach its capacity and Administration Server will not function. Following are the causes of this event, depending on the DBMS that you use, and the appropriate responses to the event.
Review the information on DBMS selection. |
90 days |
Connection to the secondary Administration Server has been interrupted |
4116 |
KLSRV_EV_SLAVE_SRV_DISCONNECTED |
Events of this type occur when a connection to the secondary Administration Server is interrupted. Read the operating system log on the device where the secondary Administration Server is installed and respond accordingly. |
90 days |
Connection to the primary Administration Server has been interrupted |
4118 |
KLSRV_EV_MASTER_SRV_DISCONNECTED |
Events of this type occur when a connection to the primary Administration Server is interrupted. Read the operating system log on the device where the primary Administration Server is installed and respond accordingly. |
90 days |
New updates for Kaspersky application modules have been registered |
4141 |
KLSRV_SEAMLESS_UPDATE_REGISTERED |
Events of this type occur when Administration Server registers new updates for the Kaspersky software installed on managed devices that require approval to be installed. Approve or decline the updates by using Kaspersky Security Center Web Console. |
90 days |
The limit on the number of events in the database is exceeded, deletion of events has started |
4145 |
KLSRV_EVP_DB_TRUNCATING |
Events of this type occur when deletion of old events from the Administration Server database has started after the Administration Server database capacity is reached. You can respond to the event in the following ways: |
Not stored |
The limit on the number of events in the database is exceeded, the events have been deleted |
4146 |
KLSRV_EVP_DB_TRUNCATED |
Events of this type occur when old events have been deleted from the Administration Server database after the Administration Server database capacity is reached. You can respond to the event in the following ways: |
Not stored |
Failed to download file to device |
4165 |
KLSRV_FILE_DOWNLOAD_FAILED |
This event occurs in the following cases:
|
90 days |
Audit: Test connection to SIEM server failed |
5120 |
KLAUD_EV_SIEM_TEST_FAILED |
Events of this type occur when an automatic connection test to the SIEM server failed. |
90 days |
Administration Server informational events
The table below shows the events of Kaspersky Security Center Administration Server that have the Info importance level.
For each event that can be generated by an application, you can specify notification settings and storage settings on the Event configuration tab in the application policy. For Administration Server, you can additionally view and configure the event list in the Administration Server properties. If you want to configure notification settings for all the events at once, configure general notification settings in the Administration Server properties.
Administration Server informational events
Event type display name |
Event type ID |
Event type |
Description |
Default storage term |
|---|---|---|---|---|
Over 90% of the license key is used up |
4097 |
KLSRV_EV_LICENSE_CHECK_90 |
Events of this type occur when Administration Server detects that some licensing limits are close to being exceeded by Kaspersky applications installed on client devices and if the number of currently used licensing units covered by a single license constitute over 90% of the total number of units covered by the license. Even when a licensing limit is exceeded, client devices are protected. You can respond to the event in the following ways:
Open Single Management Platform determines the rules to generate events when a licensing limit is exceeded. |
30 days |
New device has been detected |
4100 |
KLSRV_EVENT_HOSTS_NEW_DETECTED |
Events of this type occur when new networked devices have been discovered. |
30 days |
Device has been automatically added to the group |
4101 |
KLSRV_EVENT_HOSTS_NEW_REDIRECTED |
Events of this type occur when devices have been assigned to a group according to device moving rules. |
30 days |
Device has been automatically moved according to a rule |
1074 |
KLSRV_HOST_MOVED_WITH_RULE_EX |
Events of this type occur when devices have been moved to administration groups by using device moving rules. |
30 days |
Device has been removed from the group: inactive on the network for a long time
|
4104
|
KLSRV_INVISIBLE_HOSTS_REMOVED
|
Events of this type occur when devices have been automatically removed from a group for inactivity.
|
30 days
|
FCM Instance ID has changed on this mobile device |
4137 |
KLSRV_GCM_DEVICE_REGID_CHANGED |
Events of this type occur when the Firebase Cloud Messaging token has changed on the device. For information on the FCM token rotation, please refer to the Firebase service documentation. |
30 days |
Updates have been successfully copied to the specified folder |
4122 |
KLSRV_UPD_REPL_OK |
Events of this type occur when the Download updates to the Administration Server repository task finishes copying files to a specified folder. |
30 days |
Connection to the secondary Administration Server has been established |
4115 |
KLSRV_EV_SLAVE_SRV_CONNECTED |
Refer to the following topic for details: Creating a hierarchy of Administration Servers: adding a secondary Administration Server. |
30 days |
Connection to the primary Administration Server has been established |
4117 |
KLSRV_EV_MASTER_SRV_CONNECTED |
|
30 days |
Files have been found to send to Kaspersky for analysis |
4131 |
KLSRV_APS_FILE_APPEARED |
|
30 days |
Databases have been updated |
4144 |
KLSRV_UPD_BASES_UPDATED |
Events of this type occur when the Download updates to the Administration Server repository task finishes updating databases. |
30 days |
Audit: Connection to the Administration Server has been established |
4147 |
KLAUD_EV_SERVERCONNECT |
Events of this type occur when a user connects to Administration Server by using Web Console. These events include information about the IP address of the device where the Administration Server is installed. |
30 days |
Audit: Object has been modified |
4148 |
KLAUD_EV_OBJECTMODIFY |
This event tracks changes in the following objects:
|
30 days |
Audit: Object status has changed |
4150 |
KLAUD_EV_TASK_STATE_CHANGED |
For example, this event occurs when a task has failed with an error. |
30 days |
Audit: Group settings have been modified |
4149 |
KLAUD_EV_ADMGROUP_CHANGED |
Events of this type occur when a security group has been edited. |
30 days |
Audit: Connection to Administration Server has been terminated |
4151 |
KLAUD_EV_SERVERDISCONNECT |
|
30 days |
Audit: Object properties have been modified |
4152 |
KLAUD_EV_OBJECTPROPMODIFIED |
This event tracks changes in the following properties:
|
30 days |
Audit: User permissions have been modified |
4153 |
KLAUD_EV_OBJECTACLMODIFIED |
This event occurs when user permissions have been modified |
30 days |
File uploaded to Administration Server |
4162 |
KLSRV_FILE_UPLOADED |
This event occurs when a file has been uploaded to Administration Server. |
30 days |
File deleted from Administration Server |
4163 |
KLSRV_FILE_REMOVED |
This event occurs when a file has been deleted from Administration Server. |
30 days |
File downloaded to device |
4164 |
KLSRV_FILE_DOWNLOADED |
This event occurs in the following cases:
|
30 days |
Audit: Encryption keys imported/exported |
5100 |
KLAUD_EV_DPEKEYSEXPORT |
For example, this event occurs during migration. |
30 days |
Audit: Test connection to SIEM server succeeded |
5110 |
KLAUD_EV_SIEM_TEST_SUCCESS |
This event occurs when a test connection to the SIEM server succeeded. |
30 days |
Reserve certificate created |
6126 |
KLSRV_EV_SRV_CERT_RESERVE_CREATED |
This event occurs when an Administration Server certificate has been created. |
30 days |
Certificate renewing |
6127 |
KLSRV_EV_SRV_CERT_RENEWED |
This event occurs when the Administration Server certificate has been renewed. |
30 days |
Network Agent events
This section contains information about the events related to Network Agent.
Network Agent warning events
The table below shows the events of Network Agent that have the Warning severity level.
For each event that can be generated by an application, you can specify notification settings and storage settings on the Event configuration tab in the application policy. If you want to configure notification settings for all the events at once, configure general notification settings in the Administration Server properties.
Network Agent warning events
Event type display name |
Event type ID |
Event type |
Description |
Default storage term |
|---|---|---|---|---|
Security issue has occurred |
549 |
GNRL_EV_APP_INCIDENT_OCCURED |
Events of this type occur when an incident has been found on a device. For example, this event occurs when the device has low disk space. |
30 days |
KSN Proxy has started. Failed to check KSN for availability |
7718 |
KSNPROXY_STARTED_CON_CHK_FAILED |
Events of this type occur when test connection fails for the configured KSN proxy connection. |
30 days |
Third-party software update installation has been postponed |
7698 |
KLNAG_EV_3P_PATCH_INSTALL_SLIPPED |
For example, events of this type occur when EULA for a third-party update installation is declined. |
30 days |
Third-party software update installation has completed with a warning |
7696 |
KLNAG_EV_3P_PATCH_INSTALL_WARNING |
Download the trace files and check the KLRI_PATCH_RES_DESC field value for details. |
30 days |
Warning has been returned during installation of the software module update |
7701 |
KLNAG_EV_PATCH_INSTALL_WARNING |
Download the trace files and check the KLRI_PATCH_RES_DESC field value for details. |
30 days |
User management: warnings |
7722 |
KLNAG_EV_USR_MNG_WRN |
General warning event. |
30 days |
Sudoers file found doesn't match reference value |
7724 |
KLNAG_EV_SUDOER_DIFFERENT |
Events of this type occur when there is a mismatch between the sudoers file and the reference file. |
30 days |
Network Agent informational events
The table below shows the events of Network Agent that have the Info severity level.
For each event that can be generated by an application, you can specify notification settings and storage settings on the Event configuration tab in the application policy. If you want to configure notification settings for all the events at once, configure general notification settings in the Administration Server properties.
Network Agent informational events
Event type display name |
Event type ID |
Event type |
Default storage term |
|---|---|---|---|
Application has been installed |
7703 |
KLNAG_EV_INV_APP_INSTALLED |
30 days |
Application has been uninstalled |
7704 |
KLNAG_EV_INV_APP_UNINSTALLED |
30 days |
Monitored application has been installed |
7705 |
KLNAG_EV_INV_OBS_APP_INSTALLED |
30 days |
Monitored application has been uninstalled |
7706 |
KLNAG_EV_INV_OBS_APP_UNINSTALLED |
30 days |
New device has been added |
7708 |
KLNAG_EV_DEVICE_ARRIVAL |
30 days |
Device has been removed |
7709 |
KLNAG_EV_DEVICE_REMOVE |
30 days |
New device has been detected |
7710 |
KLNAG_EV_NAC_DEVICE_DISCOVERED |
30 days |
Device has been authorized |
7711 |
KLNAG_EV_NAC_HOST_AUTHORIZED |
30 days |
KSN Proxy has started. KSN availability check has completed successfully |
7719 |
KSNPROXY_STARTED_CON_CHK_OK |
30 days |
KSN Proxy has stopped |
7720 |
KSNPROXY_STOPPED |
30 days |
Third-party application has been installed |
7707 |
KLNAG_EV_INV_CMPTR_APP_INSTALLED |
30 days |
Third-party software update has been installed successfully |
7694 |
KLNAG_EV_3P_PATCH_INSTALLED_SUCCESSFULLY |
30 days |
Third-party software update installation has started |
7695 |
KLNAG_EV_3P_PATCH_INSTALL_STARTING |
30 days |
Installation of the software module update has started |
7700 |
KLNAG_EV_PATCH_INSTALL_STARTING |
30 days |
Windows Desktop Sharing: Application has been started |
7714 |
KLUSRLOG_EV_PROCESS_LAUNCHED |
30 days |
Windows Desktop Sharing: File has been modified |
7713 |
KLUSRLOG_EV_FILE_MODIFIED |
30 days |
Windows Desktop Sharing: File has been read |
7712 |
KLUSRLOG_EV_FILE_READ |
30 days |
Windows Desktop Sharing: Started |
7715 |
KLUSRLOG_EV_WDS_BEGIN |
30 days |
Windows Desktop Sharing: Stopped |
7716 |
KLUSRLOG_EV_WDS_END |
30 days |
Sudoers file successfully restored to reference value |
7725 |
KLNAG_EV_SUDOER_RESTORED |
30 days |
Root certificates installed |
7727 |
KLNAG_EV_ROOT_CERT_INSTALLED |
30 days |
Root certificates removed |
7729 |
KLNAG_EV_ROOT_CERT_REMOVED |
30 days |
Web Server started on host |
|
WEB_SERVER_STARTED |
30 days |
Web Server stopped on host |
|
WEB_SERVER_STOPPED |
30 days |
