Kaspersky Standard | Plus | Premium
Linux
English

Contents

Viewing events and reports

While the application is running, various events can occur. The events may be informational or may contain important data. For example, the application can use events to notify about a successful application database update, or to inform about an error in the operation of application components that must be eliminated.

The Kaspersky application allows recording information about application events to the following logs:

  • The application event log.

    By default, the application saves information about events to the database in the /var/opt/kaspersky/kfl/private/storage/events.db database. You can configure the application event log on the command line.

  • Operating system log (syslog).

    The operating system log is not used by default. You can enable saving events to this log.

You need root privileges to gain access to the application event log.

You can receive information about application events in the following ways:

  • In the command line
  • If you are using the interface of the Kaspersky application, you can use the pop-up windows in which you can click the Open reports link to navigate to reports of application components and results of scan tasks.

Some events may contain file paths. For output, the file path is treated as a UTF-8 string. If any of the bytes in the path does not comply with the UTF-8 encoding rules, is it replaced with the ? character. Any four-byte sequence that encodes a character code outside the Unicode range (greater than 0x10FFFF) is also replaced with the ? character. Special characters are escaped (replaced) in a certain way.

The following rules apply when escaping characters in file paths inside events in the output of the kfl-control -E --query command:

  • '\a', '\b', '\t', '\n', '\v', '\f', '\r' characters are replaced by two characters as follows:

    '\a' -> "\\a"

    '\b' -> "\\b"

    '\t' -> "\\t"

    '\n' -> "\\n"

    '\v' -> "\\v"

    '\f' -> "\\f"

    '\r' -> "\\r"

  • All other special characters are output without modification.

The following rules apply for escaping characters in file paths inside events in the output of the kfl-control -E --query --json command:

  • In accordance with the JSON format, the '\b', '\f', '\n', '\r', '\t', '"', '\\' characters are escaped as follows:

    '\b' -> "\\b"

    '\f' -> "\\f"

    '\n' -> "\\n"

    '\r' -> "\\r"

    '\t' -> "\\t"

    '"' -> "\\\""

    '\\' -> "\\\\"

  • All other special characters are escaped in accordance with the general JSON rules for escaping special characters ('\a' -> '\u0007').

Rules for escaping characters in file paths in events when sending to syslog:

  • In accordance with the JSON format, the '\b', '\f', '\n', '\r', '\t', '"', '\\' characters are escaped as follows:

    '\b' -> "\\b"

    '\f' -> "\\f"

    '\n' -> "\\n"

    '\r' -> "\\r"

    '\t' -> "\\t"

    '"' -> "\\\""

    '\\' -> "\\\\"

  • All other special characters are escaped in accordance with the general JSON rules for escaping special characters ('\a' -> '\u0007').

The first backslash in the sequence when describing rules is the escape character.

Examples:

'\a' is one character (a control character).

'\\a' is two characters (backslash + the a character).

'\\' is one character (backslash).

'\\\\' is two characters (backslash + backslash).

The application can generate various types of reports on the events that occur while the application is running. Reports contain information about the performance of each Kaspersky component, the results of each task, and the overall operation of the application.

You can view reports in the Kaspersky application interface.

Events and reports may contain the following personal data:

  • User name and user ID of operating system users
  • Paths to user files
  • Web addresses of the update sources
  • Detected malicious, phishing, adware web addresses, and web addresses containing legitimate applications that intruders can use to compromise devices or data
  • Names and IDs of the devices
  • Web addresses of the repositories
  • File names, paths to files, and hash-sums of executable application files
  • Application category names

In addition, events and reports may contain:

In this Help section

How to configure logging of events in the operating system log

How to configure application event logging

How to view events on the command line

How to view reports and events in the application interface
Page top
[Topic 287666]

How to configure logging of events in the operating system log

By default, events that occur during the operation of the Kaspersky application are not recorded in the operating system log. You can enable the recording of events in this log on the command line.

You can enable or disable saving events to the operating system log in the command line via the UseSyslog option in the general application settings.

You can edit the option via command line switches or a configuration file that contains all general application settings.

UseSyslog accepts the following values:

  • Yes: enable saving events to syslog.
  • No (default): disable saving events to syslog.

Page top

[Topic 291593]

How to configure application event logging

By default, information about events is saved to the application event log located on the device. You can define the following application event log options in the command line via the general application settings:

  • Change the path to the application event log database via the EventsStoragePath option. Default value: /var/opt/kaspersky/kfl/private/storage/events.db.
  • Specify the maximum number of events to be stored by the application via the MaxEventsNumber option. Default value: 500000. When the specified number of events is exceeded, the application deletes the oldest events.

You can change the values of the settings with the help of command line switches or a configuration file that contains all general application settings.

Page top
[Topic 290543]

How to view events on the command line

In the command line, you can view:

  • Current application events
  • Events in the application event log

Displaying current events

You can output information about all current application events or about current events associated with starting or stopping a specified task. You can use the filter to output certain current events, for example, events of a specified type.

To output information about all current application events, run:

kfl-control -W

The command returns the name of the event and additional information about the event.

To output only information about current events associated with a running task, run:

kfl-control --start-task <task ID/name> -W

Example:

Enable display of the current events of the running task with ID=1:

kfl-control --start-task 1 -W

To output information about current events that match the filter conditions, run:

kfl-control -W --query "<filter conditions>"

filter conditions are set with one or more logical expressions in the format <field> <comparison operator> '<value>', combined with the help of the logical operator and.

Example:

Display TaskStateChanged events:

kfl-control -W --query "EventType == 'TaskStateChanged'"

Display TaskSettingsChanged events initiated by the 'User' user:

kfl-control -W --query "EventType == 'TaskSettingsChanged' and Initiator == 'User'"

Displaying events from the event log

You can output information about events from the application event log to the console or a file. You can use a filter to display only certain events.

To output information about all events in the application event log, run:

kfl-control -E --query [--db <database file>]

where:

  • <database file> is the full path to the event log database file to output events from. By default, the application saves information about events to the database in the /var/opt/kaspersky/kfl/private/storage/events.db database. The location of the database is determined by the EventsStoragePath global application setting.

You can use less to navigate the list of displayed events. By default, the application stores up to 500,000 events. The maximum number of events that the application stores is determined by the MaxEventsNumber general application setting.

If the event log is located in the default database, you can output information about all events using the command:

kfl-control -E

To output information about events in the application event log that meet certain criteria, run:

kfl-control -E --query "<filter conditions>" [--db <database file>] [-n <number>] [--json] [--reverse]

where:

  • <filter conditions>: one or several logical expressions in the format <field> <comparison operator> '<value >', combined with the help of the logical operator and to limit the results.
  • <number> – number of the latest events of the selection (number of records from the end of the selection) to be displayed.
  • --json: output events in JSON format.
  • --reverse: display events in reverse order (from the newest event at the top to the oldest at the bottom).

To output information about events in the application event log that meet certain criteria to a file, run:

kfl-control -E --query "<filter conditions>" [--db <database file>] [-n <number>] --file <file path> [--json]

where --file <file path> is the full path to the file to output events to.

Page top
[Topic 290544]

How to view reports and events in the application interface

The application interface lets you view the reports. Reports contain information about the operation of application components and tasks.

Report data is presented as a table that contains a list of events. Each line in the table contains information about a separate event. Event attributes are displayed in the table columns. Events logged while various components and tasks are running have different sets of attributes.

The following event importance levels are used in reports:

  • Critical – events with the critical importance level that need your attention as they indicate problems in the application operation or vulnerabilities in the device protection
  • High
  • Medium
  • Low
  • Information
  • Error

Reports are displayed in the window that opens when clicking Reports in the lower part of the main application window.

You can also navigate to reports of application components and scan task results by clicking the Open reports link in pop-up notifications about the progress of scan tasks and detected threats.

The following reports are available in the application:

  • Statistics. This report contains File Threat Protection and scan task statistics. You can update the displayed report by clicking the Reload button.
  • System audit. This report contains information about events that occur during the application operation and during the user interaction with the application.
  • Threat protection. This report contains information about the events that are logged while the following application components were running:
    • Web Threat Protection.
    • Removable Drives Scan.
    • Behavior Detection.
    • File Threat Protection.
  • On-demand tasks. This report contains information about events logged by scan tasks and update tasks.

To view the report:

  1. Open the main application window.
  2. In the lower part of the main application window, click the Reports button.

    The Reports window will open.

  3. In the left part of the Reports window, select the required report type.

    A report containing a list of events is displayed in the right part of the window.

    By default, events are sorted in ascending order by the values in the Date column.

  4. To view detailed information about an event, select the event in the report.

    The section that contains the attributes of this event is displayed at the bottom of the window.

For convenient processing of reports, you can modify the presentation of data on the screen in the following ways:

  • Filter the list of events by occurrence time.
  • Use the search function to find a specific event.
  • View the selected event in a separate section.
Page top
[Topic 289949]