Kaspersky Security Logs - 2025

Overview

Kaspersky Security Center Cloud Console (KSCCC) is a cloud-based platform that enables centralized management for securing and monitoring devices across an organization. It offers a comprehensive set of tools for administrators to deploy, configure, and oversee endpoint protection across diverse environments. A key feature of KSCCC is its robust logging system, which captures detailed information on security events, administrative actions, and system activities. These logs are essential for:

• Maintaining operational visibility

• Detecting and responding to threats

• Supporting regulatory and internal compliance efforts

• Troubleshooting technical and security-related issues

With real-time event tracking and seamless integration with external tools such as Hunters SIEM system, KSCCC enhances an organization’s cybersecurity posture by enabling proactive monitoring and rapid incident response.

After receiving the KSCCC alerts in the expected format, Hunters will ingest KSCCC events.
Hunters will then detect suspicious behaviors based on security-relevant events only, excluding general and administrative events from all KSCCC events.
After that, Hunters will run on these events further automatic investigations (such as process and domain analysis) and correlations with other products' detected behaviors.

Send data to Hunters

Logs should be routed to an AWS S3 bucket.

To connect Kaspersky Security Logs:

Expected format

The expected alert format is the Syslog format you can choose to use in Kaspersky Administration Server GUI. However, raw KSCCC events do not contain the hostname and the event time by default in some cases. It is expected to add them using KSCCC advanced features or shipping tool features such as FluentD (by the customer).

If more information is needed about Kaspersky's logs formats, please use Kaspersky's support page.

Logs should contain the relevant host name, the event timestamp and the raw alert itself.

Sample Data

Kaspersky Security On-Prem Logs (text)

1234|1.0.0.0 - KLSRV_EVENT_HOSTS_NEW_DETECTED [event@23668 p1="ABC123" p2="FH-HOLDING" et="KLSRV_EVENT_HOSTS_NEW_DETECTED" etdn="New device has been detected." hdn="KAS01" hip="123.0.0.0" gn="Managed devices" kscfqdn="abcs01.fh-holding.local"] New device "AB123" has been detected (Windows domain "FH-HOLDING")

Kaspersky Security Cloud Logs (text)

1234|1.0.0.0 - KLAUD_EV_SERVERCONNECT [event@23668 p2="0.0.0.0" p3="TENANT_01\\USR_001" p5="0.0.0.0" p9="::1" et="KLAUD_EV_SERVERCONNECT" etdn="Audit (connection to the Administration Server)" hdn="SERVER_ADMIN" hip="IP_xxx" gn="GROUP_A" kscfqdn="DOM_A.local"] User "TENANT_01\USR_001" has connected to the Administration Server from "0.0.0.0".
kesl|11.1.0.0 - TaskStateChanged [event@12345 et="TaskStateChanged" tdn="Behavior_Detection" etdn="Task state changed" hdn="HOST_17" hip="IP_xxx" gn="GROUP_B" kscfqdn="TENANT_02.example"] Initiator: Product; Runtime task ID: 123; Task state: Stopping; Task type: BehaviorDetection;
KES|01.0.0.0 - 00000123 [event@1234 et="00000123" tdn="Protection" etdn="Participation in KSN enabled" hdn="HOST_05" hip="IP_xxx" gn="GROUP_C" kscfqdn="TENANT_03.example"] Event type: Participation in KSN enabled Name: abc.exe Application path: C:\Program Files (x86)\Kaspersky Lab\KES\... Process ID: 1234 User: SYS_ACC Component: Protection
kesl|02.1.0.0 - TaskStateChanged [event@23668 et="TaskStateChanged" tdn="Update KESL01.1" etdn="Task state changed" hdn="HOST_22" hip="IP_xxx" gn="GROUP_B" kscfqdn="DOM_B.local"] Initiator: SecurityCenter; Runtime task ID: 123; Task state: Starting; Task type: Update; SourceType=KLServers; UseKLServersWhenUnavailable=Yes; ConnectionTimeout=30; ApplicationUpdateMode=DownloadOnly