Kaspersky Security Center 13.1
13.1
English

Contents

Exporting events directly from the database

You can retrieve events directly from the Kaspersky Security Center database without having to use the Kaspersky Security Center interface. You can either query the public views directly and retrieve the event data or create your own views on the basis of existing public views and address them to get the data you need.

Public views

For your convenience, a set of public views is provided in the Kaspersky Security Center database. You can find the description of these public views in the klakdb.chm document.

The v_akpub_ev_event public view contains a set of fields that represent the event parameters in the database. In the klakdb.chm document you can also find information on public views corresponding to other Kaspersky Security Center entities, for example, devices, applications, or users. You can use this information in your queries.

This section contains instructions for creating an SQL query by means of the klsql2 utility and a query example.

To create SQL queries or database views, you can also use any other program for working with databases. Information on how to view the parameters for connecting to the Kaspersky Security Center database, such as instance name and database name, is given in the corresponding section.

In this section

Creating an SQL query using the klsql2 utility

Example of an SQL query in the klsql2 utility

Viewing the Kaspersky Security Center database name

See also:

Scenario: configuring event export to SIEM systems
Page top
[Topic 151344]

Creating an SQL query using the klsql2 utility

This section describes how to download and use the klsql2 utility, and how to create an SQL query by using this utility. When you create an SQL query by means of the klsql2 utility, you do not have to provide database name and access parameters, because the query addresses Kaspersky Security Center public views directly.

To download and use the klsql2 utility:

  1. Download the klsql2 utility from Kaspersky website.
  2. Copy and extract the downloaded klsql2.zip file to any folder on the device with Kaspersky Security Center Administration Server installed.

    The klsql2.zip package includes the following files:

    • klsql2.exe
    • src.sql
    • start.cmd
  3. Open the src.sql file in any text editor.
  4. In the src.sql file, type the SQL query that you want, and then save the file.
  5. On the device with Kaspersky Security Center Administration Server installed, in the command line, type the following command to run the SQL query from the src.sql file and save the results to the result.xml file:

    klsql2 -i src.sql -o result.xml

  6. Open the newly created result.xml file to view the query results.

You can edit the src.sql file and create any query to the public views. Then, from the command line, execute your query and save the results to a file.

See also

Scenario: configuring event export to SIEM systems
Page top
[Topic 151343]

Example of an SQL query in the klsql2 utility

This section shows an example of an SQL query, created by means of the klsql2 utility.

The following example illustrates retrieval of the events that occurred on devices during the last seven days, and display of the events ordered by the time they occur, the most recent events are displayed first.

Example:

SELECT

e.nId, /* event identifier */

e.tmRiseTime, /* time, when the event occurred */

e.strEventType, /* internal name of the event type */

e.wstrEventTypeDisplayName, /* displayed name of the event */

e.wstrDescription, /* displayed description of the event */

e.wstrGroupName, /* name of the group, where the device is located */

h.wstrDisplayName, /* displayed name of the device, on which the event occurred */

CAST(((h.nIp / 16777216) & 255) AS varchar(4)) + '.' +

CAST(((h.nIp / 65536) & 255) AS varchar(4)) + '.' +

CAST(((h.nIp / 256) & 255) AS varchar(4)) + '.' +

CAST(((h.nIp) & 255) AS varchar(4)) as strIp /* IP-address of the device, on which the event occurred */

FROM v_akpub_ev_event e

INNER JOIN v_akpub_host h ON h.nId=e.nHostId

WHERE e.tmRiseTime>=DATEADD(Day, -7, GETUTCDATE())

ORDER BY e.tmRiseTime DESC

See also:

Scenario: configuring event export to SIEM systems
Page top
[Topic 151338]

Viewing the Kaspersky Security Center database name

Expand all | Collapse all

It can be helpful to know a database name if you need, for example, send an SQL query and connect to the database from your SQL script editor.

To view the name of the Kaspersky Security Center database:

  1. In the Kaspersky Security Center console tree, open the context menu of the Administration Server folder and select Properties.
  2. In the Administration Server properties window, in the Sections pane select Advanced and then Details of current database.
  3. In the Details of current database section, note the following database properties (see figure below):
    • Instance name

      Name of the current Kaspersky Security Center database instance. The default value is .\KAV_CS_ADMIN_KIT.

    • Database name

      Name of the Kaspersky Security Center SQL database. The default value is KAV.

    The Details of current database section contains the following information: the Instance name, the Database name, the Database file size, the Size of data in the database, and the Number of events stored in the database.

    Section with information about the current Administration Server database

  4. Click the OK button to close the Administration Server properties window.

Use the database name to address the database in your SQL queries.

See also:

Scenario: configuring event export to SIEM systems
Page top
[Topic 151339]