How To: Centralize All LANDESK Antivirus Activity Logs

Version 16

    Verified Product Versions

    LANDESK Management Suite 2016.x


    How to centralize all LANDESK Antivirus activity logs

     

    At times it is advantageous to see in one place on the core server the details of each computer's LANDESK Antivirus activity (Ex; Threats which have been detected on the Web, Disinfection impossible for some files etc...) which allows you to remotely monitor the events without being connected to each machine.

     

     

    There are 2 methods;

     

    Method 1:  By using the LDMS Console "Alerts" tool (see printscreen below)

      This is a partial answer because it won't give you all the activity details possible in the LANDESK Antivirus tool. Click here to learn how to configure Alerts on an LDMS 9.6 Console.

     

    Alert.png


    Method 2: By using the advanced LANDESK Antivirus Advanced Settings and the Windows Event Viewer Subscriptions

      This is the most complete way to gather onto one server or one workstation all the LANDESK Antivirus logs regarding all the Antivirus events occurring on all computers managed.


      To do this, it needs to be done in 3 phases;

     

    1. Modify the LANDESK Antivirus advanced settings in order to collect all the events of your choice on the local Event Viewer
    2. Import the advanced settings into the LANDESK Antivirus agent setting on the LDMS Console
    3. Configure event viewer on both the "Collector" server and the "Source" Computers for the Subscription

     

    Step by Step for Method 2

     

    Step 1: Modify the advanced settings on the LANDESK Antivirus User Interface in one client

    • Go on a client configured with LANDESK Antivirus deployed
    • Open the LANDESK Antivirus UI and click on the Settings tab
        • Note: Be sure that the agent settings allows the user to access to the settings tab (see Agent Settings Printscreen below where the "Allow user to change settings" has to be checked)

                        Screen.png

    • Click on Advanced Settings tab, then Interface tab, and click on the Settings Button (see printscreen below)

        Screen 2.png   

    • On the left pane, you have access to all the LANDESK Antivirus services you have configured on the agent settings (Ex: File Anti-Virus, Mail Anti-Virus etc.) and also to the Updates, Scan Tasks and System Audit (i.e: to know who did what). For each tab, you can define which event should be recorded on the local Event Viewer log file by checking the boxes on the column "Save in Windows Event Log". Once all that is done, click on OK

        Screen 4.png

    • Come back to the previous screen and click on the Save button

     

    Step 2: Import the advanced settings into the LANDESK Antivirus agent setting on the LDMS Console to spread it across all the managed computers with a LANDESK Antivirus already installed

     

    • To achieve this, follow the instructions given in the following article from step 2 in order to spread this new configuration across all of your managed computers with a LANDESK Antivirus already installed

     

    Step 3: Configure event viewer on both the "Collector" server and the "Source" Computers for the Subscription

     

    Now you are at the step where the LANDESK Antivirus activity are logged on the local Event Viewer logs of each computer under "Applications and Services Logs" - "Kasperky Event Log" (see printscreen below)

        Screen 5.png

      • Note: The Event logs are stored on each computer in the "%systemroot%\System32\Winevt\Logs\Kasperky Event Log.evtx" file

     

    You need now to collect the "Kasperky Event Log" logs from each computer onto a "Central" server. This is called the Event Subscriptions method (see Event Subscriptions). To do that, here is a method to do that;

     

              IMPORTANT NOTE: To ease up this process, the COLLECTOR machine should have the LANDESK Antivirus installed on it in order to filter only the "Kasperky Event Log" events coming from the SOURCE machines (See printscreen below).

              The COLLECTOR machine could be the Core Server (see article How to install the LANDESK AntiVirus on core server ?)

                  Screen 6.png

    • Depending on where you store this Events on the COLLECTOR machine (For my example in "Forwarded Events" folder), and the Subscriptions advanced settings you chose, you will get the following type of result shown on the printscreen below. You can then use the filter view to see specific events on specific computer(s).

              Screen 7.png