Kaspersky Security Center 13.1
13.1
English

Contents

Notifications of events

This section describes how to select a method for delivering administrator notifications about events on client devices, and how to configure event notification settings.

It also describes how to test the distribution of event notifications by using the Eicar test virus.

In this section

Configuring event notification

Testing notifications

Event notifications displayed by running an executable file
Page top
[Topic 153722]

Configuring event notification

Expand all | Collapse all

Kaspersky Security Center allows you to select a method of notifying the administrator of events on client devices and to configure notification:

  • Email. When an event occurs, the application sends a notification to email addresses specified. You can edit the text of the notification.
  • SMS. When an event occurs, the application sends a notification to the phone numbers specified. You can configure SMS notifications to be sent through the mail gateway.
  • Executable file. When an event occurs on a device, the executable file is started on the administrator's workstation. Using the executable file, the administrator can receive the parameters of any event that has occurred.

To configure notification of events occurring on client devices:

  1. In the console tree, select the node with the name of the required Administration Server.
  2. In the workspace of the node, select the Events tab.
  3. Click the Configure notifications and event export link and select the Configure notifications value in the drop-down list.

    This opens the Properties: Events window.

  4. In the Notification section, select a notification method (by email, by SMS, or by running an executable file) and define the notification settings:
    • Email

      The Email tab allows you to configure email notifications for events.

      In the Recipients (email addresses) field, specify the email addresses to which the application will send notifications. You can specify multiple addresses in this field, by separating them with semicolons.

      In the SMTP servers field, specify mail server addresses, by separating them with semicolons. You can use the IP address or DNS name of the SMTP server as the address.

      In the SMTP server port field, specify the number of an SMTP server communication port. The default port number is 25.

      If you enable the Use DNS MX lookup option, you can use several MX records of the IP addresses for the same DNS name of the SMTP server. The same DNS name may have several MX records with different values of priority of receiving email messages. Administration Server attempts to send email notifications to the SMTP server in ascending order of MX records priority. By default, this option is disabled.

      If you enable the Use DNS MX lookup option and do not enable usage of TLS settings, we recommend that you use the DNSSEC settings on your server device as an additional measure of protection for sending email notifications.

      Click the Settings link to define additional notification settings:

      • Subject name (subject name of an email message)
      • Sender email address
      • ESMTP authentication settings

      You have to specify an account for authentication on an SMTP server if the ESMTP authentication option is enabled for the SMTP server.

      • TLS settings for the SMTP server:
        • Do not use TLS

        You can select this option if you want to disable encryption of email messages.

        • Use TLS if supported by SMTP server

        You can select this option if you want to use a TLS connection to an SMTP server. If the SMTP server does not support TLS, Administration Server connects the SMTP server without using TLS.

        • Always use TLS, check the server certificate for validity

        You can select this option if you want to use TLS authentication settings. If the SMTP server does not support TLS, Administration Server cannot connect the SMTP server.

      We recommend that you use this option for better protection of the connection with an SMTP server. If you select this option, you can set authentication settings for a TLS connection.

      If you choose Always use TLS, check the server certificate for validity value, you can specify a certificate for authentication of the SMTP server and choose whether you want to enable communication through any version of TLS or only through TLS 1.2 or later versions. Also, you can specify a certificate for client authentication on the SMTP server.

      You can specify TLS settings for an SMTP server:

      • Browse for an SMTP server certificate file:

      You can receive a file with the list of certificates from a trusted certification authority and upload the file to Administration Server. Kaspersky Security Center checks whether the certificate of an SMTP server is also signed by a trusted certification authority. Kaspersky Security Center cannot connect to an SMTP server if the certificate of the SMTP server is not received from a trusted certification authority.

      • Browse for a client certificate file:

      You can use a certificate that you received from any source, for example, from any trusted certification authority. You must specify the certificate and its private key by using one of the following certificate types:

      • X-509 certificate:

      You must specify a file with the certificate and a file with the private key. Both files do not depend on each other and the order of loading of the files is not significant. When both files are loaded, you must specify the password for decoding the private key. The password can have an empty value if the private key is not encoded.

      • pkcs12 container:

      You must upload a single file that contains the certificate and its private key. When the file is loaded, you must then specify the password for decoding the private key. The password can have an empty value if the private key is not encoded.

      The Notification message field contains standard text with information about the event that the application sends when an event occurs. This text includes substitute parameters, such as event name, device name, and domain name. You can edit the message text by adding other substitute parameters with more relevant details of the event. The list of substitute parameters is available by clicking the button to the right of the field.

      If the notification text contains a percent sign (%), you have to type it twice in a row to allow message sending. For example, "CPU load is 100%%".

      Click the Configure numeric limit of notifications link to specify the maximum number of notifications that the application can send over the specified time interval.

      Click the Send test message button to check if you have configured notifications properly. The application should send a test notification to the email addresses that you specified.

    • SMS

      The SMS tab allows you to configure the transmission of SMS notifications of various events to a cell phone. SMS messages are sent through a mail gateway.

      In the Recipients (email addresses) field, specify the email addresses to which the application will send notifications. You can specify multiple addresses in this field, by separating them with semicolons. The notifications will be delivered to the phone numbers associated with the specified email addresses.

      In the SMTP servers field, specify mail server addresses, by separating them with semicolons. You can use the IP address or the Windows network name (NetBIOS name) of the device as the address.

      In the SMTP server port field, specify the number of an SMTP server communication port. The default port number is 25.

      Click the Settings link to define additional notification settings:

      • Subject name (subject name of an email message)
      • Sender email address
      • ESMTP authentication settings

      If necessary, you can specify an account for authentication on an SMTP server if the option of ESMTP authentication is enabled for the SMTP server.

      • TLS settings for an SMTP server

      You can disable usage of TLS, use TLS if the SMTP server supports this protocol, or you can force usage of TLS only. If you choose to use only TLS, you can specify a certificate for authentication of the SMTP server and choose whether you want to enable communication through any version of TLS or only through TLS 1.2 or later versions. Also, if you choose to use only TLS, you can specify a certificate for client authentication on the SMTP server.

      • Browse for an SMTP server certificate file

      You can receive a file with the list of certificates from a trusted certification authority and upload the file to Kaspersky Security Center. Kaspersky Security Center checks whether the certificate of the SMTP server is also signed by a trusted certification authority. Kaspersky Security Center cannot connect to the SMTP server if the certificate of the SMTP server is not received from a trusted certification authority.

      You must upload a single file that contains the certificate and its private key. When the file is loaded, you must then specify the password for decoding the private key. The password can have an empty value if the private key is not encoded.The Notification message field contains standard text with information about the event that the application sends when an event occurs. This text includes substitute parameters, such as event name, device name, and domain name. You can edit the message text by adding other substitute parameters with more relevant details of the event. The list of substitute parameters is available by clicking the button to the right of the field.

      If the notification text contains a percent sign (%), you have to type it twice in a row to allow message sending. For example, "CPU load is 100%%".

      Click the Configure numeric limit of notifications link to specify the maximum number of notifications that the application can send during the specified time interval.

      Click the Send test message button to check whether you configured notifications properly. The application should send a test notification to the recipient that you specified.

    • Executable file to be run

      If this notification method is selected, in the entry field you can specify the application that will start when an event occurs.

      Clicking the Configure numeric limit of notifications link allows you to specify the maximum number of notifications that the application can send during the specified time interval.

      Clicking the Send test message button allows you to check whether you configured notifications properly: the application sends a test notification to the email addresses that you specified.

  5. In the Notification message field, enter the text that the application will send when an event occurs.

    You can use the drop-down list to the right of the text field to add substitution settings with event details (for example, event description, or time of occurrence).

    If the notification text contains a percent (%), you must specify it twice in succession to allow message sending. For example, "CPU load is 100%%".

  6. Click the Send test message button to check whether notification has been configured correctly.

    The application sends a test notification to the specified user.

  7. Click OK to save the changes.

The re-adjusted notification settings are applied to all events that occur on client devices.

You can override notification settings for certain events in the Event configuration section of the Administration Server settings, of a policy settings, or of an application settings.

See also:

Event processing and storage on the Administration Server

Scenario: Monitoring and reporting
Page top
[Topic 4944]

Testing notifications

To check whether event notifications are sent, the application uses the notification of the EICAR test "virus" detection on client devices.

To verify sending of event notifications:

  1. Stop the real-time file system protection task on a client device and copy the EICAR test "virus" to that client device. Now re-enable real-time protection of the file system.
  2. Run a scan task for client devices in an administration group or for specific devices, including one with the EICAR "virus".

    If the scan task is configured correctly, the test "virus" will be detected. If notifications are configured correctly, you are notified that a virus has been detected.

    In the workspace of the Administration Server node, on the Events tab, the Recent events selection displays a record of detection of a "virus".

The EICAR test "virus" contains no code that can do harm to your device. However, most manufacturers' security applications identify this file as virus. You can download the test "virus" from the official EICAR website.

Page top
[Topic 4834]

Event notifications displayed by running an executable file

Kaspersky Security Center can notify the administrator about events on client devices by running an executable file. The executable file must contain another executable file with placeholders of the event to be relayed to the administrator.

Placeholders for describing an event

Placeholder

Placeholder description

%SEVERITY%

Event importance level

%COMPUTER%

Name of the device where the event occurred

%DOMAIN%

Domain

%EVENT%

Event

%DESCR%

Event description

%RISE_TIME%

Time created

%KLCSAK_EVENT_TASK_DISPLAY_NAME%

Task name

%KL_PRODUCT%

Kaspersky Security Center Network Agent

%KL_VERSION%

Network Agent version number

%HOST_IP%

IP address

%HOST_CONN_IP%

Connection IP address

Example:

Event notifications are sent by an executable file (such as script1.bat) inside which another executable file (such as script2.bat) with the %COMPUTER% placeholder is launched. When an event occurs, the script1.bat file is run on the administrator's device, which, in turn, runs the script2.bat file with the %COMPUTER% placeholder. The administrator then receives the name of the device where the event occurred.

Page top

[Topic 84509]