Kaspersky Embedded Systems Security for Linux
3.3.0
English

Contents

Events and reports

While the application is running, various events can occur. The events may be informational or may contain important data. For example, the application can use events to notify about a successful application database update, or to inform about an error in the operation of application components that must be eliminated.

The application generates various types of reports based on the events that occur while the application is running.

Events and reports may contain the following personal data:

  • User name and user ID of operating system users
  • Paths to user files
  • IP addresses of remote devices that are scanned by the Anti-Cryptor task
  • IP addresses of senders and receivers of network packets scanned by the Firewall Management task
  • Web addresses of the update sources
  • General application settings
  • Task names and settings
  • Detected malicious, phishing, adware web addresses, and web addresses that contain legal software that may be used by criminals to damage your device or personal data
  • Names of the containers and images
  • Paths to the containers and images
  • Names and IDs of the devices
  • Web addresses of the repositories
  • File names, paths to files, and hash-sums of executable application files
  • Application category names

In this Help section

Viewing events

Viewing reports
Page top
[Topic 210898]

Viewing events

You can view events in the following ways:

  • In the application event log. The event log is located in the directory specified by the EventsStoragePath general application setting. By default, the application saves information about events to the /var/opt/kaspersky/kess/private/storage/events.db database. Root privileges are required to access the database of events.
  • In the general application settings, if the UseSysLog setting has the value Yes, then event data is also written to syslog. Root privileges are required to access syslog.
  • Enable output of current application events using the kess-control -W command.
  • If Kaspersky Embedded Systems Security is managed by Kaspersky Security Center, information about events may be transmitted to the Kaspersky Security Center Administration Server. Aggregation rules apply to certain events. If a large number of same-type events are created within a short period of time while the application is running, the application will switch to event aggregation mode and send to Kaspersky Security Center one aggregated event with a description of the events settings. Different aggregation rules may be used for different events. The administrator can configure the execution of a script upon receiving events from the application or upon receiving notifications about events by e-mail. For more information about events, refer to Kaspersky Security Center documentation.
  • If the graphical user interface (GUI) is enabled, information about events can be viewed in reports and in application pop-up windows.

To get information about all events in the event log, run the following command:

kess-control -E --query|less

By default, the application stores up to 500,000 events. You can use the less command to navigate through the list of displayed events.

You can view specific events using the application's event store query system.

When creating a query, indicate the required field, select a comparison operator, and specify the desired value. The value must be specified in single quotation marks ('), and the whole query must be specified in double quotation marks ("):

--query "<field> <comparison operator> '<value>' [and <field> <comparison operator> '<value>' *]"

You can specify a date value in UNIX time (the number of seconds that have elapsed since 00:00:00 (UTC), January 1, 1970) or in YYYY-MM-DD hh:mm:ss format. The user specifies the date and time in the user's local time zone, and the application displays them in the same time zone.

ThreatDetected example:

EventType=ThreatDetected

EventId=2671

Initiator=Product

Date=2020-04-30 17:17:17

DangerLevel=Critical

FileName=/root/eicar.com.txt

ObjectName=File

TaskName=File_Monitoring

RuntimeTaskId=2

TaskId=1

DetectName=EICAR-Test-File

TaskType=OAS

FileOwner=root

FileOwnerId=0

DetectCertainty=Sure

DetectType=Virware

DetectSource=Local

ObjectId=1

AccessUser=root

AccessUserId=0

Query examples:

Get all events by the EventType field:

kess-control -E --query "EventType == 'ThreatDetected'"

Display all events with the specified values of the EventType and FileName fields:

kess-control -E --query "EventType == 'ThreatDetected' and FileName like '%eicar%'"

Get events generated by File_Threat_Protection task after the date specified in UNIX time (the number of seconds that have elapsed since 00:00:00 (UTC), January 1, 1970):

kess-control -E --query "TaskName == 'File_Threat_Protection' and Date > '1588253494'"

Get all events generated by the File_Threat_Protection task after the date specified in YYYY-MM-DD hh:mm:ss format:

kess-control -E --query "TaskName == 'File_Threat_Protection' and Date > '2022-11-22 18:42:54'"

Page top

[Topic 201952]

Viewing reports

Information about the operation of each Kaspersky Embedded Systems Security component, the performance of each task, and the overall operation of the application is recorded in reports.

You can view reports in the following ways:

  • If Kaspersky Embedded Systems Security is managed using Kaspersky Security Center, you can generate and view Kaspersky Security Center reports in the Administration Console and in the Web Console. You can use Kaspersky Security Center reports, for example, to get information about infected files or usage of keys and application databases. For detailed information on working with Kaspersky Security Center reports, refer to Kaspersky Security Center documentation.
  • If the graphical user interface (GUI) is enabled, information about application events is displayed in the application reports.
Page top
[Topic 198070]