Overview

For any types of issues with tasks managed by KSC, we require export of task execution history in .txt file. Task execution history is a sequence of events generated by client computer during task execution. Step-by-step guide To export task execution history, follow these steps: Open task results window. In the upper part of the task results window, select problem computer. Right-click some event in the lower part of the task results window, where task execution history for selected host displayed. In context menu, choose Export… option. Events export Wizard will start. Click "Browse" button, select file destination and file name. Save events to .txt file. Make sure option Export selected events only NOT enabled. Click “Next” button. Select option “Export as tab-delimited Unicode text”. Click “Next” button and complete the wizard.

This article is about Kaspersky Security Center for Windows (KSC for Windows) Step-by-step guide Make sure that System Management license is installed, otherwise KSC events won't be exported to SIEM. For more information please refer to SIEM integration: the most frequent error. Specify Splunk Server address and port; Login into Splunk Management console; Press Settings → Configure data inputs; In the opened Add Data window - select TCP; - Specify Port you are planning to use. And a Source (KSC server address or DNS-name). Configure Source type: choose Select and pick syslog from drop down menu. Configure Host: set IP for Method Check the settings on a result screen; Open Splunk home page and press Search & Reporting; Make sure that KSC event were indexed by Splunk correctly as expected; Right now you are able to see raw KSC events.

Problem You set up integration with SIEM but no events come up on SIEM side. In some cases there is no incoming traffic to SIEM from KSC server. Solution In vast majority of cases the root cause can be located in KSC server trace Trace example #1 25.01.2017 09:56:56.855 00001320.0000015C L1 KLSPLG: There is no key for SystemManagement. Trace example #2 24.10.2017 13:27:06.071 00001C78.00001464 L1 KLERR: #1, Error was caught in KLSPLG::EventsSupplierToSiem::Build, .\splg\events_supplier_to_siem.cpp@224. Error params: (1571/0x0 ("Functionality in limited mode. Area: System Management."), "KLSRV", .\license_policy\license_policy_utils.cpp@151) Error loc: 'This operation requires a license for the feature Systems Management.'. If you can find such a line, make sure that Systems management license is installed on KSC. If the issue reproduces with SM license installed do the following: Enable admin server tracing Click 'Export archive' button Wait 15 minutes Provide Customer Support (https://companyaccount.kaspersky.com/) with the traces, GSI file (https://support.kaspersky.com/common/diagnostics/3632 - do not forget to switch on the event logs collection), and the detailed problem description.

KSC installer generates default passwords for service accounts (automatically created to run KSC service), KIPxeUser and KIScSvc. Those passwords have 16 characters length, characters are taken randomly so that the password contain 3 out of 4 of the following groups of characters: Lowercase characters (a – z) Uppercase characters (A – Z) Numbers (0-9) Symbols (~ ! @ # $ % ^ & * - _ + = [ ] { } | \ : ' , . ? / ` ~ " < > ( ) Also the password cannot contain a dot character '.' immediately preceding the '@' symbol.

In some cases klakaut traces should be collected for diagnostics. Step-by-step guide To do so: Import klakaut-on_x*.reg file. Restart klakaut service. net stop klakaut net start klakaut Enable another trace if required. Reproduce the issue. Import klakaut-off_x*.reg file. Trace file $klakaut-klakaut.log will be placed in C:\Windows\Temp. Make sure to use the correct reg file, depending on OS architecture x86 or x64.

To troubleshoot SNMP functionality in KSC specific traces should be collected. Step-by-step guide To collect traces: Download archive Use trace-5-snmpagt.reg to start trace Reproduce the issue Use trace-off-snmpagt.reg to stop trace Archive files and send to Kaspersky Support.