Kaspersky Next XDR Expert

Administration Server events

This section contains information about the events related to the Administration Server.

In this section

Administration Server critical events

Administration Server functional failure events

Administration Server warning events

Administration Server informational events

Page top
[Topic 184666_1]

Administration Server critical events

The table below shows the events of Kaspersky Security Center Administration Server that have the Critical importance level.

For each event that can be generated by an application, you can specify notification settings and storage settings on the Event configuration tab in the application policy. For Administration Server, you can additionally view and configure the event list in the Administration Server properties. If you want to configure notification settings for all the events at once, configure general notification settings in the Administration Server properties.

Administration Server critical events

Event type display name

Event type ID

Event type

Description

Default storage term

License limit has been exceeded

4099

KLSRV_EV_LICENSE_CHECK_MORE_110

Once a day Open Single Management Platform checks whether a licensing limit is exceeded.

Events of this type occur when Administration Server detects that some licensing limits are exceeded by Kaspersky applications installed on client devices and if the number of currently used licensing units covered by a single license exceeds 110% of the total number of units covered by the license.

Even when this event occurs, client devices are protected.

You can respond to the event in the following ways:

  • Look through the managed devices list. Delete devices that are not in use.
  • Provide a license for more devices (add a valid activation code or a key file to Administration Server).

Open Single Management Platform determines the rules to generate events when a licensing limit is exceeded.

180 days

Device has become unmanaged

4111

KLSRV_HOST_OUT_CONTROL

Events of this type occur if a managed device is visible on the network but has not connected to Administration Server for a specific period.

Find out what prevents the proper functioning of Network Agent on the device. Possible causes include network issues and removal of Network Agent from the device.

180 days

Device status is Critical

4113

KLSRV_HOST_STATUS_CRITICAL

Events of this type occur when a managed device is assigned the Critical status. You can configure the conditions under which the device status is changed to Critical.

180 days

The key file has been added to the denylist

4124

KLSRV_LICENSE_BLACKLISTED

Events of this type occur when Kaspersky has added the activation code or key file that you use to the denylist.

Contact Technical Support for more details.

180 days

License expires soon

4129

KLSRV_EV_LICENSE_SRV_EXPIRE_SOON

Events of this type occur when the commercial license expiration date is approaching.

Once a day Open Single Management Platform checks whether a license expiration date is approaching. Events of this type are published 30 days, 15 days, 5 days, and 1 day before the license expiration date. This number of days cannot be changed. If the Administration Server is turned off on the specified day before the license expiration date, the event will not be published until the next day.

When the commercial license expires, Open Single Management Platform provides only basic functionality.

You can respond to the event in the following ways:

  • Make sure that a reserve license key is added to Administration Server.
  • If you use a subscription, make sure to renew it. An unlimited subscription is renewed automatically if it has been prepaid to the service provider by the due date.

180 days

Certificate has expired

4132

KLSRV_CERTIFICATE_EXPIRED

Events of this type occur when the Administration Server certificate for Mobile Device Management expires.

You need to update the expired certificate.

180 days

Administration Server certificate has expired.

6129

KLSRV_EV_SRV_CERT_EXPIRED_DN

Events of this type occur when the Administration Server certificate expires.

You need to update the expired certificate.

180 days

Audit: Export to SIEM failed

5130

KLAUD_EV_SIEM_EXPORT_ERROR

Events of this type occur when exporting events to the SIEM system failed due to a connection error with the SIEM system.

180 days

Limited functionality mode

4130

KLSRV_EV_LICENSE_SRV_LIMITED_MODE

Events of this type occur when Open Single Management Platform starts to operate with basic functionality, without Vulnerability and patch management and without Mobile Device Management features.

Following are causes of, and appropriate responses to, the event:

  • License term has expired. Provide a license to use the full functionality mode of Open Single Management Platform (add a valid activation code or a key file to Administration Server).
  • Administration Server manages more devices than specified by the license limit. Move devices from the administration groups of an Administration Server to those of another Administration Server (if the license limit of the other Administration Server allows).

180 days

Updates for Kaspersky application modules have been revoked

4142

KLSRV_SEAMLESS_UPDATE_REVOKED

Events of this type occur if seamless updates have been revoked (Revoked status is displayed for these updates) by Kaspersky technical specialists; for example, they must be updated to a newer version. The event concerns Open Single Management Platform patches and does not concern modules of managed Kaspersky applications. The event provides the reason that the seamless updates are not installed.

180 days

Virus outbreak

  • 26 (for File Threat Protection)
  • 27 (for Mail Threat Protection)
  • 28 (for firewall)

 

GNRL_EV_VIRUS_OUTBREAK

Events of this type occur when the number of malicious objects detected on several managed devices exceeds the threshold within a short period.

You can respond to the event in the following ways:

  • Configure the threshold in the Administration Server properties.
  • Create a stricter policy that will be activated, or create a task that will be run, at the occurrence of this event.

 

See also:

Administration Server functional failure events

Administration Server informational events

Administration Server warning events

About events in Open Single Management Platform

Page top
[Topic 177080_1]

Administration Server functional failure events

The table below shows the events of Kaspersky Security Center Administration Server that have the Functional failure importance level.

For each event that can be generated by an application, you can specify notification settings and storage settings on the Event configuration tab in the application policy. For Administration Server, you can additionally view and configure the event list in the Administration Server properties. If you want to configure notification settings for all the events at once, configure general notification settings in the Administration Server properties.

Administration Server functional failure events

Event type display name

Event type ID

Event type

Description

Default storage term

Runtime error

 

 

4125

 

 

 

 

KLSRV_RUNTIME_ERROR

 

 

 

 

Events of this type occur because of unknown issues.

Most often these are DBMS issues, network issues, and other software and hardware issues.

Details of the event can be found in the event description.

 

 

 

 

 

180 days

 

 

 

 

Failed to copy the updates to the specified folder

4123

KLSRV_UPD_REPL_FAIL

Events of this type occur when software updates are copied to an additional shared folder(s).

You can respond to the event in the following ways:

  • Check whether the user account that is employed to gain access to the folder(s) has write permission.
  • Check whether a user name and/or a password to the folder(s) is/are changed.
  • Check the internet connection, as it might be the cause of the event. Follow the instructions to update databases and software modules.

180 days

No free disk space

4107

KLSRV_DISK_FULL

Events of this type occur when the hard drive of the device on which Administration Server is installed runs out of free space.

Free up disk space on the device.

180 days

Shared folder is not available

4108

KLSRV_SHARED_FOLDER_UNAVAILABLE

Events of this type occur if the shared folder of Administration Server is not available.

You can respond to the event in the following ways:

  • Check whether the Administration Server (where the shared folder is located) is turned on and available.
  • Check whether a user name and/or a password to the folder is/are changed.
  • Check the network connection.

180 days

The Administration Server database is unavailable

4109

KLSRV_DATABASE_UNAVAILABLE

Events of this type occur if the Administration Server database becomes unavailable.

You can respond to the event in the following ways:

  • Check whether the remote server that has SQL Server installed is available.
  • View the DBMS logs to discover the reason for Administration Server database unavailability. For example, because of preventive maintenance a remote server with SQL Server installed might be unavailable.

180 days

No free space in the Administration Server database

4110

KLSRV_DATABASE_FULL

Events of this type occur when there is no free space in the Administration Server database.

Administration Server does not function when its database has reached its capacity and when further recording to the database is not possible.

Following are the causes of this event, depending on the DBMS that you use, and appropriate responses to the event:

Review the information on DBMS selection.

180 days

Failed to poll the cloud segment

4143

KLSRV_KLCLOUD_SCAN_ERROR

Events of this type occur when Administration Server fails to poll a network segment in a cloud environment. Read the details in the event description and respond accordingly.

Not stored

See also:

Administration Server critical events

Administration Server informational events

Administration Server warning events

About events in Open Single Management Platform

Page top
[Topic 177081_1]

Administration Server warning events

The table below shows the events of Kaspersky Security Center Administration Server that have the Warning importance level.

For each event that can be generated by an application, you can specify notification settings and storage settings on the Event configuration tab in the application policy. For Administration Server, you can additionally view and configure the event list in the Administration Server properties. If you want to configure notification settings for all the events at once, configure general notification settings in the Administration Server properties.

Administration Server warning events

Event type display name

Event type ID

Event type

Description

Default storage term

Frequent events have been detected

 

KLSRV_EVENT_SPAM_EVENTS_DETECTED

Events of this type occur when Administration Server detects a frequent event on a managed device. Refer to the following section for details: Blocking frequent events.

90 days

License limit has been exceeded

4098

KLSRV_EV_LICENSE_CHECK_100_110

Once a day Open Single Management Platform checks whether a licensing limit is exceeded.

Events of this type occur when Administration Server detects that some licensing limits are exceeded by Kaspersky applications installed on client devices and if the number of currently used licensing units covered by a single license constitute 100% to 110% of the total number of units covered by the license.

Even when this event occurs, client devices are protected.

You can respond to the event in the following ways:

  • Look through the managed devices list. Delete devices that are not in use.
  • Provide a license for more devices (add a valid activation code or a key file to Administration Server).

Open Single Management Platform determines the rules to generate events when a licensing limit is exceeded.

90 days

Device has remained inactive on the network for a long time

4103

KLSRV_EVENT_HOSTS_NOT_VISIBLE

Events of this type occur when a managed device shows inactivity for some time.

Most often, this happens when a managed device is decommissioned.

You can respond to the event in the following ways:

  • Manually remove the device from the list of managed devices.

    Specify the time interval after which the Device has remained inactive on the network for a long time event is created by using OSMP Console.

  • Specify the time interval after which the device is automatically removed from the group by using OSMP Console.

90 days

Conflict of device names

4102

KLSRV_EVENT_HOSTS_CONFLICT

Events of this type occur when Administration Server considers two or more managed devices as a single device.

Most often this happens when a cloned hard drive was used for software deployment on managed devices and without switching the Network Agent to the dedicated disk cloning mode on a reference device.

To avoid this issue, switch Network Agent to the disk cloning mode on a reference device before cloning the hard drive of this device.

90 days

Device status is Warning

 

 

 

4114

 

 

 

KLSRV_HOST_STATUS_WARNING

 

 

 

Events of this type occur when a managed device is assigned the Warning status. You can configure the conditions under which the device status is changed to Warning.

 

 

 

 

 

90 days

 

 

 

Certificate has been requested

4133

KLSRV_CERTIFICATE_REQUESTED

Events of this type occur when a certificate for Mobile Device Management fails to be automatically reissued.

Following might be the causes and appropriate responses to the event:

  • Automatic reissue was initiated for a certificate for which the Reissue certificate automatically if possible option is disabled. This might be due to an error that occurred during creation of the certificate. Manual reissue of the certificate might be required.
  • If you use an integration with a public key infrastructure, the cause might be a missing SAM-Account-Name attribute of the account used for integration with PKI and for issuance of the certificate. Review the account properties.

90 days

Certificate has been removed

4134

KLSRV_CERTIFICATE_REMOVED

Events of this type occur when an administrator removes any type of certificate (General, Mail, VPN) for Mobile Device Management.

After removing a certificate, mobile devices connected via this certificate will fail to connect to Administration Server.

This event might be helpful when investigating malfunctions associated with the management of mobile devices.

90 days

Certificate is expiring

6128

KLSRV_EV_SRV_CERT_EXPIRES_SOON

Events of this type occur when the Administration Server certificate is expiring in 30 days or sooner, and there is no reserve certificate.

90 days

APNs certificate has expired

4135

KLSRV_APN_CERTIFICATE_EXPIRED

Events of this type occur when an APNs certificate expires.

You need to manually renew the APNs certificate and install it on an iOS MDM Server.

Not stored

APNs certificate expires soon

4136

KLSRV_APN_CERTIFICATE_EXPIRES_SOON

Events of this type occur when there are fewer than 14 days left before the APNs certificate expires.

When the APNs certificate expires, you need to manually renew the APNs certificate and install it on an iOS MDM Server.

We recommend that you schedule the APNs certificate renewal in advance of the expiration date.

Not stored

Failed to send the FCM message to the mobile device

4138

KLSRV_GCM_DEVICE_ERROR

Events of this type occur when Mobile Device Management is configured to use Google Firebase Cloud Messaging (FCM) for connecting to managed mobile devices with an Android operating system and FCM Server fails to handle some of the requests received from Administration Server. It means that some of the managed mobile devices will not receive a push notification.

Read the HTTP code in the details of the event description and respond accordingly. For more information on the HTTP codes received from FCM Server and related errors, please refer to the Google Firebase service documentation (see chapter "Downstream message error response codes").

90 days

HTTP error sending the FCM message to the FCM server

4139

KLSRV_GCM_HTTP_ERROR

Events of this type occur when Mobile Device Management is configured to use Google Firebase Cloud Messaging (FCM) for connecting managed mobile devices with the Android operating system and FCM Server reverts to the Administration Server a request with a HTTP code other than 200 (OK).

Following might be the causes and appropriate responses to the event:

  • Problems on the FCM server side. Read the HTTP code in the details of the event description and respond accordingly. For more information on the HTTP codes received from FCM Server and related errors, please refer to the Google Firebase service documentation (see chapter "Downstream message error response codes").
  • Problems on the proxy server side (if you use proxy server). Read the HTTP code in the details of the event and respond accordingly.

90 days

Failed to send the FCM message to the FCM server

4140

KLSRV_GCM_GENERAL_ERROR

Events of this type occur due to unexpected errors on the Administration Server side when working with the Google Firebase Cloud Messaging HTTP protocol.

Read the details in the event description and respond accordingly.

If you cannot find the solution to an issue on your own, we recommend that you contact Kaspersky Technical Support.

90 days

Little free space on the hard drive

4105

KLSRV_NO_SPACE_ON_VOLUMES

Events of this type occur when the hard drive of the device on which Administration Server is installed almost runs out of free space.

Free up disk space on the device.

90 days

No free space in the Administration Server database

4106

KLSRV_NO_SPACE_IN_DATABASE

Events of this type occur if space in the Administration Server database is too limited. If you do not remedy the situation, soon the Administration Server database will reach its capacity and Administration Server will not function.

Following are the causes of this event, depending on the DBMS that you use, and the appropriate responses to the event.

Review the information on DBMS selection.

90 days

Connection to the secondary Administration Server has been interrupted

4116

KLSRV_EV_SLAVE_SRV_DISCONNECTED

Events of this type occur when a connection to the secondary Administration Server is interrupted.

Read the operating system log on the device where the secondary Administration Server is installed and respond accordingly.

90 days

Connection to the primary Administration Server has been interrupted

4118

KLSRV_EV_MASTER_SRV_DISCONNECTED

Events of this type occur when a connection to the primary Administration Server is interrupted.

Read the operating system log on the device where the primary Administration Server is installed and respond accordingly.

90 days

New updates for Kaspersky application modules have been registered

4141

KLSRV_SEAMLESS_UPDATE_REGISTERED

Events of this type occur when Administration Server registers new updates for the Kaspersky software installed on managed devices that require approval to be installed.

Approve or decline the updates by using Kaspersky Security Center Web Console.

90 days

The limit on the number of events in the database is exceeded, deletion of events has started

4145

KLSRV_EVP_DB_TRUNCATING

Events of this type occur when deletion of old events from the Administration Server database has started after the Administration Server database capacity is reached.

You can respond to the event in the following ways:

Not stored

The limit on the number of events in the database is exceeded, the events have been deleted

4146

KLSRV_EVP_DB_TRUNCATED

Events of this type occur when old events have been deleted from the Administration Server database after the Administration Server database capacity is reached.

You can respond to the event in the following ways:

Not stored

Failed to download file to device

4165

KLSRV_FILE_DOWNLOAD_FAILED

This event occurs in the following cases:

  • A file could not be downloaded to a device in a session.
  • A file could not be downloaded from Administration Server.

90 days

Audit: Test connection to SIEM server failed

5120

KLAUD_EV_SIEM_TEST_FAILED

Events of this type occur when an automatic connection test to the SIEM server failed.

90 days

See also:

Administration Server critical events

Administration Server functional failure events

Administration Server informational events

About events in Open Single Management Platform

Page top
[Topic 177082_1]

Administration Server informational events

The table below shows the events of Kaspersky Security Center Administration Server that have the Info importance level.

For each event that can be generated by an application, you can specify notification settings and storage settings on the Event configuration tab in the application policy. For Administration Server, you can additionally view and configure the event list in the Administration Server properties. If you want to configure notification settings for all the events at once, configure general notification settings in the Administration Server properties.

Administration Server informational events

Event type display name

Event type ID

Event type

Description

Default storage term

Over 90% of the license key is used up

4097

KLSRV_EV_LICENSE_CHECK_90

Events of this type occur when Administration Server detects that some licensing limits are close to being exceeded by Kaspersky applications installed on client devices and if the number of currently used licensing units covered by a single license constitute over 90% of the total number of units covered by the license.

Even when a licensing limit is exceeded, client devices are protected.

You can respond to the event in the following ways:

  • Look through the managed devices list. Delete devices that are not in use.
  • Provide a license for more devices (add a valid activation code or a key file to Administration Server).

Open Single Management Platform determines the rules to generate events when a licensing limit is exceeded.

30 days

New device has been detected

4100

KLSRV_EVENT_HOSTS_NEW_DETECTED

Events of this type occur when new networked devices have been discovered.

30 days

Device has been automatically added to the group

4101

KLSRV_EVENT_HOSTS_NEW_REDIRECTED

Events of this type occur when devices have been assigned to a group according to device moving rules.

30 days

Device has been automatically moved according to a rule

1074

KLSRV_HOST_MOVED_WITH_RULE_EX

Events of this type occur when devices have been moved to administration groups by using device moving rules.

30 days

Device has been removed from the group: inactive on the network for a long time

 

 

 

 

4104

 

 

KLSRV_INVISIBLE_HOSTS_REMOVED

 

 

Events of this type occur when devices have been automatically removed from a group for inactivity.

 

 

 

 

 

30 days

 

 

FCM Instance ID has changed on this mobile device

4137

KLSRV_GCM_DEVICE_REGID_CHANGED

Events of this type occur when the Firebase Cloud Messaging token has changed on the device.

For information on the FCM token rotation, please refer to the Firebase service documentation.

30 days

Updates have been successfully copied to the specified folder

4122

KLSRV_UPD_REPL_OK

Events of this type occur when the Download updates to the Administration Server repository task finishes copying files to a specified folder.

30 days

Connection to the secondary Administration Server has been established

4115

KLSRV_EV_SLAVE_SRV_CONNECTED

Refer to the following topic for details: Creating a hierarchy of Administration Servers: adding a secondary Administration Server.

30 days

Connection to the primary Administration Server has been established

4117

KLSRV_EV_MASTER_SRV_CONNECTED

 

30 days

Files have been found to send to Kaspersky for analysis

4131

KLSRV_APS_FILE_APPEARED

 

30 days

Databases have been updated

4144

KLSRV_UPD_BASES_UPDATED

Events of this type occur when the Download updates to the Administration Server repository task finishes updating databases.

30 days

Audit: Connection to the Administration Server has been established

4147

KLAUD_EV_SERVERCONNECT

Events of this type occur when a user connects to Administration Server by using Web Console. These events include information about the IP address of the device where the Administration Server is installed.

30 days

Audit: Object has been modified

4148

KLAUD_EV_OBJECTMODIFY

This event tracks changes in the following objects:

  • Administration group
  • Security group
  • User
  • Package
  • Task
  • Policy
  • Server
  • Virtual Server

30 days

Audit: Object status has changed

4150

KLAUD_EV_TASK_STATE_CHANGED

For example, this event occurs when a task has failed with an error.

30 days

Audit: Group settings have been modified

4149

KLAUD_EV_ADMGROUP_CHANGED

Events of this type occur when a security group has been edited.

30 days

Audit: Connection to Administration Server has been terminated

4151

KLAUD_EV_SERVERDISCONNECT

 

30 days

Audit: Object properties have been modified

4152

KLAUD_EV_OBJECTPROPMODIFIED

This event tracks changes in the following properties:

  • User
  • License
  • Server
  • Virtual server

30 days

Audit: User permissions have been modified

4153

KLAUD_EV_OBJECTACLMODIFIED

This event occurs when user permissions have been modified

30 days

File uploaded to Administration Server

4162

KLSRV_FILE_UPLOADED

This event occurs when a file has been uploaded to Administration Server.

30 days

File deleted from Administration Server

4163

KLSRV_FILE_REMOVED

This event occurs when a file has been deleted from Administration Server.

30 days

File downloaded to device

4164

KLSRV_FILE_DOWNLOADED

This event occurs in the following cases:

  • A file has been downloaded to a device in a session.
  • A file has been downloaded from Administration Server.

30 days

Audit: Encryption keys imported/exported

5100

KLAUD_EV_DPEKEYSEXPORT

For example, this event occurs during migration.

30 days

Audit: Test connection to SIEM server succeeded

5110

KLAUD_EV_SIEM_TEST_SUCCESS

This event occurs when a test connection to the SIEM server succeeded.

30 days

Reserve certificate created

6126

KLSRV_EV_SRV_CERT_RESERVE_CREATED

This event occurs when an Administration Server certificate has been created.

30 days

Certificate renewing

6127

KLSRV_EV_SRV_CERT_RENEWED

This event occurs when the Administration Server certificate has been renewed.

30 days

Page top
[Topic 177083_1]