Agent

Display the agent logs.

Agent provides the following information:

• CPP agent logs
• Agent logs by license

Note

Select the log search period on the top-right - Last 1 hour, Last 3 hours, Last 4 hours, Last 12 hours or Customize. If you select Customize, click the calendar ( ) to select the date, and click the clock () to select the time. Select the period to Refresh the logs - Every 10 seconds, Every 30 seconds, Every 60 seconds or Every 90 seconds.

 To view the agent logs:

1. On top of the web page, click Logs.
2. Select the Logs > Agent tab.
3. From the log list, select the events to view. Enter a search keyword or specify the search period to view logs.

• Event: Select the log type to view.

Security Agent Events

Display the policy application result sent to the agent. Select Security Agent Events and enter the keyword to search in the search conditions (Agent ID, IP Address, Computer Name, Last Logged in User, Department and Contents).

• Log Received: The time the server received the Security Agent log.
• Log Created: The time the Security Agent log was created.
• Agent ID: The agent ID.
• IP Address: The agent's IP address.
• Computer Name: The agent's computer name.
• Last Logged in User: The Windows account that last logged in to the agent computer.
• Department: The agent user's department.
• Contents: The log details. e.g.) The policy application command received.

Note

For more information on Security Agent event logs and common columns, refer to Security Agent Events.

Task History

Display the Management Command logs. Enter the keyword to search in the search conditions (Agent ID, IP Address, Computer Name, Last Logged in User, Department, Task and Error).

• Task: The task type. e.g.) Restart Agent, Distribute Policy
• Status: The task status. e.g.) Status, Pending, Succeeded, Failed, Completed (Succeeded), Completed (Failed)
• Error: The task error.

Software Asset Change History

Display the agent's software asset change history. Enter the keyword to search in the search conditions (Agent ID, IP Address, Computer Name, Last Logged in User, Software Name, Publisher, Version and File Size).

• Event Type: The software event - Add and Delete.
• Software Name: The software name. e.g.) AhnLab V3 Endpoint Security 9.0
• Publisher: The software published. e.g.) AhnLab, Inc.
• Version: The software version. e.g.) 1.0.0.1
• File Size: The software file size.

Hardware Asset Change History

Display the agent's hardware asset change history. Enter the keyword to search in the search conditions (Agent ID, IP Address, Computer Name, Last Logged in User and Contents).

• Event Type: The hardware event - Change and Add.
• Hardware Type: The hardware type - CPU, memory, BIOS, hard disk (HDD), display and network. e.g.) CPU
• Contents: The hardware change details. Ex) 3.40GHz

Malware Infection Information

Display the malware infection logs. Enter the keyword to search in the search conditions (Agent ID, IP Address, Computer Name, Last Logged in User, Department, Malware Name, Infected File Path, Hash Value, Status, Owner, Accessed Computer and Infected Computer).

• Pod Name: The pod name where the event occurred. Only communication coming in or out of the pod is recorded.
• Container Name: The container name where the event occurred.
• Container ID: The container ID where the event occurred.
• Container Image Name: The container image name in which malicious code was detected.
• Malware Name: The malware name. e.g.) Eicar
• Infected File Path: The infected file path. e.g.) C:\Temp\temp\eicar.com
• Hash Value: The malware's hash value.
• Status: The malware status - Detect and Repair.
• Scan Type: The malware scan type. e.g.) Real-time or Malware Scan
• Owner: The owner of the infected file.
• Accessed Computer: The user that accessed the infected file.
• Infected Computer: The user that infected the file.

Scan/Real-time Scan

Display the scan and real-time scan logs. Enter the keyword to search in the search conditions (Agent ID, IP Address, Computer Name, Last Logged in User, Department, Contents and Details).

• Details: The scan and real-time scan event details.

Internet Security

Display the personal firewall and network intrusion prevention logs. Enter the keyword to search in the search conditions (Agent ID, IP Address, Computer Name, Last Logged in User, Department, Contents and Details).

• Contents: The internet security event.
• Details: The internet security event details.

V3 Update

Display the update logs. Enter the keyword to search in the search conditions (Agent ID, IP Address, Computer Name, Last Logged in User, Department, Contents and Details).

• Contents: The update event.
• Details: The update event details.

Device Control

Display the V3 ES 9.0 device control logs. Enter the keyword to search in the search conditions (Agent ID, IP Address, Computer Name, Last Logged in User, Department, Related Features and Contents).

• Related Features: The event's feature.
• Contents: The device control event.

HIPS Agent Event

If you select HIPS Agent Event, you can check information on HIPS product-related events in addition to the basic info of Security Agent Event. You can enter a search keyword in search condition (Agent ID, IP, Computer Name, Feature, Details) to search for the information you are seeking for.

• Feature: Displays the name of the feature that runs in HIPS agent. In Feature, Product Start/End State, Key Operation, Product Update, and Other may be displayed.
• Details: Displays the event details of the feature. e.g.) Policy applied (Policy: 1)

HIPS Agent Event

If you select HIPS Agent Event, you can check information on HIPS product-related events in addition to the basic info of Security Agent Event. You can enter a search keyword in search condition (Agent ID, IP, Computer Name, Feature, Details) to search for the information you are seeking for.

• Feature: Displays the name of the feature that runs in HIPS agent. In Feature, Product Start/End State, Key Operation, Product Update, and Other may be displayed.
• Details: Displays the event details of the feature. e.g.) Policy applied (Policy: 1)

IPS Event

If you select IPS Event, you can check information on IPS related events in addition to the basic info of Security Agent Event. You can enter a search keyword in search condition (Agent ID, IP, Computer Name, Log Type, SID, Signature Name, Severity, Application Type, Source IP, Source Country, Destination IP, Destination Port number, Destination Country, Source IP, Bypass Method, Other) to search for the information you are seeking for.

• Detection Started: The date when the IPS detection started.
• Detection Ended: The date when the IPS detection ended.
• Signature Name: The name of the signature.
• Severity: The severity of the detected attack.
• Source IP: The source IP address of the detected attack.
• Source Port No.: The source port number of the detected attack.
• Source Country: The source country of the detected attack.
• Destination IP: The destination IP address of the detected attack.
• Destination Port number: The destination port number of the detected attack.
• Destination Country: The destination country of the detected attack.
• Network Direction: The direction where the packet and traffics are transmitted from the detected attack.
• Session Direction: The direction between the server and the client in a detected attack.
• Attack Attempt: The number of detected attack attempts.
• No. of Packets: The number of packets of the detected attack.
• Response Method: A response method against the detected attack.
• Block Option: A detailed block option against detected inbound attack that is set as 'block' as a response.
• Packet Info: The packet info of the detected attack. You can click [Packet Details] to see detailed info on the packet.

Firewall Event

If you select Firewall Event, you can check information on firewall block related events in addition to the basic info of Security Agent Event. You can enter a search keyword in search condition (Agent ID, IP, Computer Name, Source IP, Source Port No., Destination IP, Destination Port number, Policy Name, and Rule Name) to search for the information you are seeking for.

• Detection Started: The date when the firewall detection started.
• Detection Ended: The date when the firewall detection ended.
• Packet direction: Whether the packet in the detected attack is inbound or outbound.
• Network Direction: The direction where the packet and traffics are transmitted from the detected attack.
• Source IP: The source IP address of the detected attack.
• Source Port No.: The source port number of the detected attack.
• Source Country: The source country of the detected attack.
• Destination IP: The destination IP address of the detected attack.
• Destination Port number: The destination port number of the detected attack.
• Destination Country: The destination country of the detected attack.
• Protocol: The protocol used in the detected attack.
• Packet Size: The packet size of the detected attack.
• No. of Detections: The number of detections.
• Policy Name: The name of the firewall policy.
• Reason: The reason of block.
• Rule Name: The name of rule.
• Packet Processing: The type of Packet Processing.

AC Agent Event

If you select AC Agent Event, you can check information on AC Agent-related events in addition to the basic info of Security Agent Event. You can enter a search keyword in search condition (Agent ID, IP, Computer Name, Feature, Details) to search for the information you are seeking for.

• Feature: Displays the name of the feature runs in AC agent. In Feature, Product Start/End State, Key Operation, Product Update & Policy Application, and Other may be displayed.

• Details: Displays the event details of the feature. e.g.) Policy applied (Policy: 1)

Execution Control Event

If you select Execution Control Event, you can check information on execution control-related events in addition to the basic info of Security Agent Event. You can enter a search keyword in search condition (Agent ID, IP, Computer Name, Owner Process ID, Owner Process Name, File Name, File Path, File Hash (SHA 256), Supplier, Signed by, File Size, and ASD Reputations) to search for the information you are seeking for.

• Owner Process ID: The ID of the process that is run first before the file under execution control.
• Owner Process Name: The name of the process that is run first before the file under execution control.
• File Name: The name of the file under execution control.
• File Path: The path of the file under execution control.
• File Hash (SHA 256): The hash value (SHA 256) of the file under execution control.
• Supplier: The provider of the file under execution control.
• Signed by: The signer of the file under execution control.
• File Size: The size of the file under execution control.
• Response Method: The response method against the file under execution control.
• AC Status: Displays the activation mode of execution control.
• ASD Reputations: Distinguishes and displays ASD reputation as Black, White, Unknown, and None.
• Reason: Distinguishes and displays reason as Execution Control, Trusted Targets, Inventory, Collection Mode, and Timeout.

Access Control Event

If you select Access Control Event, you can check information on access control-related events in addition to the basic info of Security Agent Event. You can enter a search keyword in search condition (Agent ID, IP, Computer Name, File Name, File Path, Supplier, Signed by, Access Target) to search for the information you are seeking for.

• File Name: The name of the file under access control.
• File Path: The path of the file under access control.
• Supplier: The provider of the file under access control.
• Signed by: The signer of the file under access control.
• Access Target: Displays the files that are access targets.
• Access Method: Displays the method of access.
• Response Method: The response method against the file under access control.
• AC Status: Displays the activation mode of execution control.
• Reason: Distinguishes and displays reason as User-defined, and Lockdown Mode.

Search for Agent Logs

To search for agent logs:

1. On top of the web page, click Logs.
2. Select the Logs > Agent tab.
3. Select the event type and enter the keyword to search in the search conditions (Agent ID, IP Address, Computer Name, Last Logged in User and Department).

4. Click Search( ).
5. Specify the period to view the logs on the right.

6. Check the logs.

Note

Select the period to Refresh the logs - Every 10 seconds, Every 30 seconds, Every 60 seconds or Every 90 seconds.

Export

Save the logs as a file.

1. On top of the web page, click Logs.
2. Select the Logs > Agent tab.
3. Enter a search keyword or specify the search period to view logs.
4. Click Export to save the file in csv, xlsx or pdf format.

Remove Logs

To delete logs:

1. On top of the web page, click Logs.
2. Select the Logs > Agent tab.
3. Enter a search keyword or specify the search period to view logs to delete.
4. Click Remove Logs.