Viewing events and reports

While the application is running, various events can occur. The events may be informational or may contain important data. For example, the application can use events to notify about a successful application database update, or to inform about an error in the operation of application components that must be eliminated.

Kaspersky Embedded Systems Security saves information about application events to the following logs:

• The application event log. By default, the application saves information about events to the /var/opt/kaspersky/kess/private/storage/events.db database. You can configure the application event log on the command line.
• Operating system log (syslog). The operating system log is not used by default. You can enable saving events to this log.

Access to the application event log and operating system log requires root privileges.

If Kaspersky Embedded Systems Security is managed by Kaspersky Security Center, information about events may be transmitted to the Kaspersky Security Center Administration Server. Aggregation rules apply to certain events. If a large number of same-type events are created within a short period of time while the application is running, the application will switch to event aggregation mode and send to Kaspersky Security Center one aggregated event with a description of the events settings. Different aggregation rules may be used for different events. For more information about events, refer to the Kaspersky Security Center Help.

You can receive information about application events in the following ways:

• In the Administration Console and in the Web Console
• In the command line
• When using the application's graphical user interface – in pop-up notifications if displaying notifications is enabled in the policy properties or in the application's general settings

Some events may contain file paths. For output, the file path is treated as a UTF-8 string. If any of the bytes in the path does not comply with the UTF-8 encoding rules, is it replaced with the ? character. Any four-byte sequence that encodes a character code outside the Unicode range (greater than 0x10FFFF) is also replaced with the ? character. Special characters are escaped (replaced) in a certain way.

The following rules apply for escaping characters in file paths inside events in the output of kess-control -E --query:

• '\a', '\b', '\t', '\n', '\v', '\f', '\r' characters are replaced by two characters as follows:

  '\a' -> "\\a"

  '\b' -> "\\b"

  '\t' -> "\\t"

  '\n' -> "\\n"

  '\v' -> "\\v"

  '\f' -> "\\f"

  '\r' -> "\\r"

• All other special characters are output without modification.

The following rules apply for escaping characters in file paths inside events in the output of kess-control -E --query --json:

• In accordance with the JSON format, the '\b', '\f', '\n', '\r', '\t', '"', '\\' characters are escaped as follows:

  '\b' -> "\\b"

  '\f' -> "\\f"

  '\n' -> "\\n"

  '\r' -> "\\r"

  '\t' -> "\\t"

  '"' -> "\\\""

  '\\' -> "\\\\"

• All other special characters are escaped in accordance with the general JSON rules for escaping special characters ('\a' -> '\u0007').

Rules for escaping characters in file paths in events when sending to syslog:

• In accordance with the JSON format, the '\b', '\f', '\n', '\r', '\t', '"', '\\' characters are escaped as follows:

  '\b' -> "\\b"

  '\f' -> "\\f"

  '\n' -> "\\n"

  '\r' -> "\\r"

  '\t' -> "\\t"

  '"' -> "\\\""

  '\\' -> "\\\\"

• All other special characters are escaped in accordance with the general JSON rules for escaping special characters ('\a' -> '\u0007').

The first backslash in the sequence when describing rules is the escape character.

The application can generate various types of reports on the events that occur while the application is running. Reports contain information about the operation of each Kaspersky Embedded Systems Security component, the results of each task, and the overall operation of the application.

You can view reports in the following ways:

• Kaspersky Security Center reports are available in the Administration Console and in the Web Console. You can use these to get information about infected files or usage of keys and application databases, among other things. For detailed information on working with Kaspersky Security Center reports, please refer to the Kaspersky Security Center Help.
• Application reports are available in the Kaspersky Embedded Systems Security graphical user interface.

Events and reports may contain the following personal data:

• User name and user ID of operating system users
• Paths to user files
• IP addresses of remote devices that are scanned by the Anti-Cryptor component
• IP addresses of senders and receivers of network packets scanned by the Firewall Management component
• Web addresses of the update sources
• General application settings values
• Names and settings of command line tasks
• Detected malicious, phishing, adware web addresses, and web addresses containing legitimate applications that intruders can use to compromise devices or data
• Names and IDs of the devices
• Web addresses of the repositories
• File names, paths to files, and hash-sums of executable application files
• Application category names

Configuring event logging to the operating system log

Events that occur during the operation of Kaspersky Embedded Systems Security can be recorded in the operating system log. You can enable or disable the recording of events in this log using the Web Console, Administration Console, or the command line.

If you use the command line to manage the application, the recording of events in the operating system log is disabled by default.

If you use Kaspersky Security Center to manage the application, by default, information about adding and removing license keys and about license term expiration is recorded in the operating system log. You can select the events that you want to be recorded in the operating system log in the properties of the policy that is applied to the application.

Configuring in the Web Console

In the Web Console, you can configure logging events to the operating system log in the policy properties (Application settings → General settings → Application settings).

Clicking the Configure notifications link in the Notifications section opens the Notifications window. In this window, you can use the check boxes to select the events that the application records in the operating system log.

You can select individual event types or all event types with a certain severity level.

Configuring in the Administration Console

In the Administration Console, you can configure logging events to the operating system log in the policy properties (General settings → Application settings).

Clicking Configure under Notifications opens the Notification settings window. In this window, you can use the check boxes to select the events that the application records in the operating system log.

You can select individual event types or all event types with a certain severity level.

Configuring in the command line

You can enable or disable saving events to the operating system log in the command line via the UseSyslog option in the general application settings.

You can edit the option via command line switches or a configuration file that contains all general application settings.

UseSyslog accepts the following values:

• Yes: enable saving events to syslog.
• No (default): disable saving events to syslog.

Configuring application event log settings

By default, information about events is saved to the application event log located on the device. You can define the following application event log options in the command line via the general application settings:

• Change the path to the application event log database via the EventsStoragePath option. Default value: /var/opt/kaspersky/kess/private/storage/events.db.
• Specify the maximum number of events to be stored by the application via the MaxEventsNumber option. Default value: 500000. When the specified number of events is exceeded, the application deletes the oldest events.

You can change the values of the settings with the help of command line switches or a configuration file that contains all general application settings.

Viewing events in Kaspersky Security Center

A list of all Kaspersky Embedded Systems Security events is displayed in the Web Console and in the Administration Console.

You can configure event notifications. A notification is a message containing information about an event that occurred on a protected device. Notifications give you timely information about application events. You can configure the execution of a script upon receiving events from the application or upon receiving notifications about events by e-mail.

For detailed information about using Kaspersky Security Center notifications, refer to the Kaspersky Security Center Help.

Viewing events in the command line

In the command line, you can view:

• Current application events
• Events in the application event log

Displaying current events

You can output information about all current application events or about current events associated with starting or stopping a specified task. You can use the filter to output certain current events, for example, events of a specified type.

To output information about all current application events, run:

kess-control -W

The command returns the name of the event and additional information about the event.

To output only information about current events associated with a running task, run:

kess-control --start-task <task ID/name> [-W] [--progress]

To output information about current events that match the filter conditions, run:

kess-control -W --query "<filter conditions>"

filter conditions are set with one or more logical expressions in the format <field> <comparison operator> '<value>', combined with the help of the logical operator and.

Displaying events from the event log

You can output information about events from the application event log to the console or a file. You can use a filter to display only certain events.

To output information about all events in the application event log, run:

kess-control -E --query [--db <database file>]

where <database file> is the full path to the event log database file to output events from. By default, the application saves information about events to the /var/opt/kaspersky/kess/private/storage/events.db database. The location of the database is determined by the EventsStoragePath global application setting.

If the event log is located in the default database, you can output information about all events using the kess-control -E command.

You can use less to navigate the list of displayed events. By default, the application stores up to 500,000 events. The maximum number of events that the application stores is determined by the MaxEventsNumber general application setting.

To output information about events in the application event log that meet certain criteria, run:

kess-control -E --query "<filter conditions>" [--db <database file>] [-n <number>] [--json] [--reverse]

where:

• <filter conditions>: one or several logical expressions in the format <field> <comparison operator> '<value >', combined with the help of the logical operator and to limit the results.
• <number> – number of the latest events of the selection (number of records from the end of the selection) to be displayed.
• --json: output events in JSON format.
• --reverse: display events in reverse order (from the newest event at the top to the oldest at the bottom).

To output information about events in the application event log that meet certain criteria to a file, run:

kess-control -E --query "<filter conditions>" [--db <database file>] [-n <number>] --file <file path> [--json]

where --file <file path> is the full path to the file to output events to.

Configuring the display of notifications in the graphical user interface

You can enable displaying pop-up notifications in the application's graphical user interface using the Web Console, Administration Console, or the command line.

Configuring in the Web Console

In the Web Console, you can configure displaying pop-up notifications in the graphical user interface in the policy properties (Application settings → General settings → Application settings).

The Show pop-up notifications in the graphical user interface check box enables displaying pop-up notifications in the graphical user interface.

The check box is selected by default.

Configuring in the Administration Console

In the Administration Console, you can configure displaying pop-up notifications in the graphical user interface in the policy properties (General settings → Application settings).

The Show pop-up notifications in the graphical user interface check box enables displaying pop-up notifications in the graphical user interface.

The check box is selected by default.

Configuring in the command line

On the command line, you can enable or disable displaying pop-up notifications in the graphical user interface using the ShowPopUpNotifications setting in the General application settings.

You can edit the setting using command line options or a configuration file that contains all general application settings.

The ShowPopUpNotifications setting can take the following values:

• Yes (default value) – show pop-up notifications in the graphical user interface.
• No – do not show pop-up notifications in the graphical user interface.