Kaspersky Security Logs - 2025

Prev Next

image

Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

Kaspersky Security On-Prem Logs

✅

✅

✅

kaspersky_security_on_prem_logs

text

S3

Kaspersky Security Cloud Logs

✅

✅

✅

kaspersky_security_cloud_logs

text

S3

Overview

Kaspersky Security Center Cloud Console (KSCCC) is a cloud-based platform that enables centralized management for securing and monitoring devices across an organization. It offers a comprehensive set of tools for administrators to deploy, configure, and oversee endpoint protection across diverse environments. A key feature of KSCCC is its robust logging system, which captures detailed information on security events, administrative actions, and system activities. These logs are essential for:

  • Maintaining operational visibility

  • Detecting and responding to threats

  • Supporting regulatory and internal compliance efforts

  • Troubleshooting technical and security-related issues

With real-time event tracking and seamless integration with external tools such as Hunters SIEM system, KSCCC enhances an organization’s cybersecurity posture by enabling proactive monitoring and rapid incident response.

After receiving the KSCCC alerts in the expected format, Hunters will ingest KSCCC events.
Hunters will then detect suspicious behaviors based on security-relevant events only, excluding general and administrative events from all KSCCC events.
After that, Hunters will run on these events further automatic investigations (such as process and domain analysis) and correlations with other products' detected behaviors.

Send data to Hunters

Logs should be routed to an AWS S3 bucket.

Once the export is completed and the logs are collected to S3, follow the steps in this section.

To connect Kaspersky Security Logs:

Connect Kaspersky Security Logs

Hunters supports the connection of Kaspersky logs (On-Prem, Cloud) using AWS S3 as an intermediary storage.

📘Learn more

Before you dive into the process below, take a look at these general AWS S3 guidelines and consolidate the two processes.

Expected format

The expected alert format is the Syslog format you can choose to use in Kaspersky Administration Server GUI. However, raw KSCCC events do not contain the hostname and the event time by default in some cases. It is expected to add them using KSCCC advanced features or shipping tool features such as FluentD (by the customer).

If more information is needed about Kaspersky's logs formats, please use Kaspersky's support page.

Logs should contain the relevant host name, the event timestamp and the raw alert itself.

Sample Data

Kaspersky Security On-Prem Logs (text)

1234|1.0.0.0 - KLSRV_EVENT_HOSTS_NEW_DETECTED [event@23668 p1="ABC123" p2="FH-HOLDING" et="KLSRV_EVENT_HOSTS_NEW_DETECTED" etdn="New device has been detected." hdn="KAS01" hip="123.0.0.0" gn="Managed devices" kscfqdn="abcs01.fh-holding.local"] New device "AB123" has been detected (Windows domain "FH-HOLDING")

Kaspersky Security Cloud Logs (text)

1234|1.0.0.0 - KLAUD_EV_SERVERCONNECT [event@23668 p2="0.0.0.0" p3="TENANT_01\\USR_001" p5="0.0.0.0" p9="::1" et="KLAUD_EV_SERVERCONNECT" etdn="Audit (connection to the Administration Server)" hdn="SERVER_ADMIN" hip="IP_xxx" gn="GROUP_A" kscfqdn="DOM_A.local"] User "TENANT_01\USR_001" has connected to the Administration Server from "0.0.0.0".
kesl|11.1.0.0 - TaskStateChanged [event@12345 et="TaskStateChanged" tdn="Behavior_Detection" etdn="Task state changed" hdn="HOST_17" hip="IP_xxx" gn="GROUP_B" kscfqdn="TENANT_02.example"] Initiator: Product; Runtime task ID: 123; Task state: Stopping; Task type: BehaviorDetection;
KES|01.0.0.0 - 00000123 [event@1234 et="00000123" tdn="Protection" etdn="Participation in KSN enabled" hdn="HOST_05" hip="IP_xxx" gn="GROUP_C" kscfqdn="TENANT_03.example"] Event type: Participation in KSN enabled Name: abc.exe Application path: C:\Program Files (x86)\Kaspersky Lab\KES\... Process ID: 1234 User: SYS_ACC Component: Protection
kesl|02.1.0.0 - TaskStateChanged [event@23668 et="TaskStateChanged" tdn="Update KESL01.1" etdn="Task state changed" hdn="HOST_22" hip="IP_xxx" gn="GROUP_B" kscfqdn="DOM_B.local"] Initiator: SecurityCenter; Runtime task ID: 123; Task state: Starting; Task type: Update; SourceType=KLServers; UseKLServersWhenUnavailable=Yes; ConnectionTimeout=30; ApplicationUpdateMode=DownloadOnly