Managing logs

This section contains information about managing the logs of Kaspersky Anti Targeted Attack Platform.

In the Kaspersky Anti Targeted Attack Platform web interface, you can manage the following logs:

• User activity log. Users with the Administrator role can manage the log. Users with the Security auditor role can download the log.
• User activity log for the NDR functionality. Users with the Administrator role can manage the log. Users with the Security auditor role can view the log.

Managing the activity log

Some user actions in the application web interface can cause errors in the operation of Kaspersky Anti Targeted Attack Platform. You can enable logging of user action information in the application web interface and if necessary, view the information by downloading log files.

Enabling and disabling the recording of information in the activity log

To enable or disable the logging of information about user actions in the Kaspersky Anti Targeted Attack Platform web interface to the activity log:

1. Select the Logs section, User activity subsection in the application web interface.
2. Do one of the following:
   • Set the Event logging toggle switch to the Enabled position if you want to enable the logging of information about user actions in the application web interface.
   • Set the Event logging toggle switch to the Disabled position if you want to disable the logging of information about user actions in the application web interface.

     This function is enabled by default.

Information about user actions is recorded in the user_actions.log file, which is stored on the Central Node server in the /data/storage/volumes/siem_proxy/log-user-actions/ directory. By default, records in this file are kept for 90 days, after which they are deleted.

To view the activity log records, you need to download the user_actions.log file.

You can configure the logging of information about user activity in the application web interface to a remote log. The remote log is saved on the server on which a SIEM system is installed. The settings of integration with the SIEM system must be configured to write to the remote log.

In distributed solution mode, information about user actions in the application web interface is recorded in the log of the same server for which the users are managing the web interface. Information about the actions of PCN server users that affect the settings of SCN servers is recorded in the PCN server log.

Users with the Security auditor role can only view the settings for logging information to the activity log.

Downloading the activity log file

To download the activity log file:

1. Select the Logs section, User activity subsection in the application web interface.
2. Click Download.

The file is saved to your local computer in your browser's downloads folder. The file is downloaded as a ZIP archive.

In distributed solution mode, you can download the log file only for the server for which you are managing the web interface.

Content and properties of CEF messages about user activity in the web interface

The header of each message contains the following information:

• Format version.

  Current version number: 0. Current field value: CEF:0.

• Vendor.

  Current field value: AO Kaspersky Lab.

• Application name.

  Current field value: Kaspersky Anti Targeted Attack Platform.

• Application version

  Current field value: 7.0.1-500.

• Event type.

  See the table below.

• Event name.

  See the table below.

• Event importance.

  Current field value: Low.

  Example: CEF:0|AO Kaspersky Lab|Kaspersky Anti Targeted Attack Platform|7.0.1-500|tasks|Managing tasks|Low|

All fields of the CEF message have the "<key>=<value>" format. The keys, as well as their values contained in a message, are presented in the table below.

Event information in CEF messages

Event type	Event name and description	Key and description of its value
sensors	Managing the Sensor component Connecting the Sensor component to the Central Node server, modifying component settings.	dvs = <IP address of the server>. eventId = <ID of the event>. rt = <event date and time>. src = <IP address of the user>. user = <user name>. cs1 = <event type>.
sb	Configuring integration with the Sandbox component Connecting the Sandbox component to the Central Node server.	dvs = <IP address of the server>. eventId = <ID of the event>. rt = <event date and time>. src = <IP address of the user>. user = <user name>. cs1 = <event type>.
ex_integration	Configuring integration with external systems Configuring integration with external systems.	dvs = <IP address of the server>. eventId = <ID of the event>. rt = <event date and time>. src = <IP address of the user>. user = <user name>. cs1 = <event type>.
ksn_kpsn_mdr	Participation in KSN, KPSN and MDR Configuring participation in Kaspersky Security Network, enabling or disabling the usage of Kaspersky Private Security Network, and configuring integration with Kaspersky Managed Detection and Response.	dvs = <IP address of the server>. eventId = <ID of the event>. rt = <event date and time>. src = <IP address of the user>. user = <user name>. cs1 = <event type>.
yara	Managing YARA rules Operations with YARA rules.	dvs = <IP address of the server>. eventId = <ID of the event>. rt = <event date and time>. src = <IP address of the user>. user = <user name>. cs1 = <event type>. device external ID = <ID of the host in distributed solution mode>. cs1label = <name of the uploaded file>.
ioc	Managing indicator of compromise Operations with IOC rules.	dvs = <IP address of the server>. eventId = <ID of the event>. rt = <event date and time>. src = <IP address of the user>. user = <user name>. cs1 = <event type>. deviceExternalID = <identifier of the host in distributed solution mode>.
ids	Managing IDS rules Operations with IDS rules.	dvs = <IP address of the server>. eventId = <ID of the event>. rt = <event date and time>. src = <IP address of the user>. user = <user name>. cs1 = <event type>. deviceExternalID = <identifier of the host in distributed solution mode>.
taa	Managing TAA rules Operations with TAA (IOA) rules.	dvs = <IP address of the server>. eventId = <ID of the event>. rt = <event date and time>. src = <IP address of the user>. user = <user name>. cs1 = <event type>.
sb rules	Managing Sandbox rules Operations with Sandbox rules.	dvs = <IP address of the server>. eventId = <ID of the event>. rt = <event date and time>. src = <IP address of the user>. user = <user name>. cs1 = <event type>.
prevention	Managing prevention rules Operations with prevention rules.	dvs = <IP address of the server>. eventId = <ID of the event>. rt = <event date and time>. src = <IP address of the user>. user = <user name>. cs1 = <event type>.
exclusions	Managing scan exclusions Operations with scan exclusion rules.	dvs = <IP address of the server>. eventId = <ID of the event>. rt = <event date and time>. src = <IP address of the user>. user = <user name>. cs1 = <event type>.
endpoint_agents	Managing Endpoint Agent hosts Operations with hosts on which the Endpoint Agent component is installed.	dvs = <IP address of the server>. eventId = <ID of the event>. rt = <event date and time>. src = <IP address of the user>. user = <user name>. cs1 = <event type>.
tasks	Managing tasks Operations with tasks.	dvs = <IP address of the server>. eventId = <ID of the event>. rt = <event date and time>. src = <IP address of the user>. user = <user name>. cs1 = <event type>.
network_isolation	Network isolation of Endpoint Agent hosts Network isolation of Endpoint Agent hosts.	dvs = <IP address of the server>. eventId = <ID of the event>. rt = <event date and time>. src = <IP address of the user>. user = <user name>. cs1 = <event type>.
settings	Settings Modifying Central Node server settings.	dvs = <IP address of the server>. eventId = <ID of the event>. rt = <event date and time>. src = <IP address of the user>. user = <user name>. cs1 = <event type>.
mt	Managing CN, PCN and SCN servers Modifying the settings of Primary Central Node and Secondary Central Node servers in distributed solution Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)). and multitenancy mode Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously. .	dvs = <IP address of the server>. eventId = <ID of the event>. rt = <event date and time>. src = <IP address of the user>. user = <user name>. cs1 = <event type>.
user_account	Managing user accounts Actions on user accounts.	dvs = <IP address of the server>. eventId = <ID of the event>. rt = <event date and time>. src = <IP address of the user>. user = <user name>. cs1 = <event type>.
notifications	Sending notifications Configuring email notifications.	dvs = <IP address of the server>. eventId = <ID of the event>. rt = <event date and time>. src = <IP address of the user>. user = <user name>. cs1 = <event type>.
license	License Managing the license key.	dvs = <IP address of the server>. eventId = <ID of the event>. rt = <event date and time>. src = <IP address of the user>. user = <user name>. cs1 = <event type>.

If an operation is performed on over 30 objects simultaneously, only one entry is logged for this operation. The entry includes the information about the operation and the number of objects on which it was performed.

Managing the NDR user activity log

This section contains information about managing logs of the NDR functionality.

Users with the Administrator role can manage the log. Users with the Security auditor role can view the log.

Logs are available when using any type of Kaspersky Anti Targeted Attack Platform license key.

Managing log storage settings

You can edit the settings of log record storage in the Central Node database.

To change the log storage settings:

1. Log in to the web interface with the application administrator account.
2. Select the Sensor servers section.
3. Select the card of the Central Node server.

   The details area is displayed in the right part of the web interface window.

4. Click Edit.

   In the details area, tabs are displayed, on which you can manage the settings of the server.

5. On the General tab, configure the following settings in the Events, Audit entries, and Application messages sections:
   1. Use the Max volume setting to set a size limit for stored records. You can select the unit of measure for the value: MB or GB.

      When editing this setting, keep in mind the estimated maximum number of records for the specified volume. You also need to take into account that the sum total of all size limits may not exceed the specified maximum storage capacity for the node.

   2. If necessary, use the Storage time (days) setting to limit the storage duration of records, and specify the duration in days.
6. Click Save.

Log storage is configured.

Enabling and disabling user activity audit

You can enable or disable user activity audit for the NDR functionality.

User activity audit is enabled by default.

To enable or disable user activity audit:

1. Connect to the Central Node server using the web interface.
2. Select the Logs section, Audit subsection.
3. Enable or disable user activity audit using the User activity audit switch in the toolbar.
4. Wait for the changes to be applied. The switch does not become available again until the transition to the other state is completed.

Viewing user activity audit records

Kaspersky Anti Targeted Attack Platform can save information about actions performed by users of the NDR functionality. Information is saved in the audit log if user activity audit is enabled.

You can view audit records when connecting to the Central Node server using the web interface. If necessary, you can also configure audit records to be sent to third-party systems through connectors.

Only users with the Administrator role can view audit records.

To view audit records:

1. Connect to the Central Node server using the web interface.
2. Select the Logs section, Audit subsection.

The table displays audit records corresponding to the specified filtering and search conditions.

Audit record settings are displayed in the following columns of the table:

• Date and time.

  Date and time when user activity information was recorded.

• Action.

  Registered action performed by the user.

• Result.

  Result of the registered action (successful or unsuccessful).

• User.

  Name of the user that performed the registered action.

• User node.

  IP address of the node where the registered action was performed.

• Description.

  Additional information about the registered action.

When viewing the table of audit records, you can use the configuration, filtering, searching, and sorting functionality.

Setting the maximum storage space limit for trace logs

Information about the performance of the NDR functionality is recorded in trace logs. You can limit the storage space occupied by these logs. In this case, when the limit is reached, old trace log files are deleted from the /var/log/kaspersky directory.

Users with the Administrator role can manage log storage. Users with the Security auditor role can view these settings.

To limit the amount of space occupied by trace logs:

1. Log in to the web interface with the application administrator account.
2. Select the Sensor servers section in the window of the application web interface.
3. Click the card of the relevant Sensor component.
4. This opens a window with information about the component.
5. Click Edit.
6. Go to the General tab.
7. In the Trace data field, use the Max volume setting to configure the maximum space that the logs can occupy. You can select the unit of measure for the value: MB or GB.

The space occupied by trace logs is limited.

Setting the maximum storage space limit for trace logs

The statistical logs record metrics of the NDR functionality, such as the number of network packets received. You can limit the storage space occupied by these logs. In this case, when the limit is reached, old statistical log files are deleted from the /var/log/kaspersky directory.

Users with the Administrator role can manage log storage. Users with the Security auditor role can view these settings.

To limit the amount of space occupied by statistical logs:

1. Log in to the web interface with the application administrator account.
2. Select the Sensor servers section in the window of the application web interface.
3. Click the card of the relevant Sensor component.
4. This opens a window with information about the component.
5. Click Edit.
6. Go to the General tab.
7. In the Statistical data field, use the Max volume setting to configure the maximum space that the logs can occupy. You can select the unit of measure for the value: MB or GB.

The space occupied by statistical logs is limited.