About log types

Article:HOWTO27271  |  Created: 2010-01-08  |  Updated: 2010-01-15  |  Article URL http://www.symantec.com/docs/HOWTO27271
Article Type
How To


Environment


About log types

You can view the following types of logs from the Monitors page:

  • Audit

  • Application and Device Control

  • Compliance

  • Computer Status

  • Network Threat Protection

  • TruScan Proactive Threat Scan

  • Risk

  • Scan

  • System

Note:
All these logs are accessed from the Monitors page on the Logs tab.

Some types of logs are further divided into different types of content to make easier to view. For example, Application Control and Device Control logs include the Application Control log and the Device Control log. You can also run commands from some logs.

Note:
If you have only Symantec Network Access Control installed, only some of the logs contain data; some logs are empty. The Audit log, Compliance log, Computer Status log, and System log contain data. If you have only Symantec Endpoint Protection installed, the Compliance logs and Enforcer logs are empty but all other logs contain data.

You can view information about the created notifications on the Notifications tab and information about the status of commands on the Command Status tab.

Viewing and filtering administrator notification information

Running commands and actions from logs

Table: Log types describes the different types of content that you can view and the actions that you can take from each log.

Table: Log types

Log type

Contents and actions

Audit

The Audit log contains information about policy modification activity.

Available information includes the event time and type; the policy modified; the domain, site, and user name involved; and a description.

No actions are associated with this log.

Application and Device Control

The Application Control log and the Device Control log contain information about events where some type of behavior was blocked.

The following Application and Device Control logs are available:

  • Application Control, which includes information about Tamper Protection

  • Device Control

Available information includes the time the event occurred, the action taken, the domain and computer that were involved, the user that was involved, the severity, the rule that was involved, the caller process, and the target.

You can add a file to a Centralized Exceptions Policy from the Application Control log.

Available information includes the time the event occurred, the event type, the domain and group that were involved, the computer that was involved, the user that was involved, the operating system name, a description, the location, and the name of the application that was involved.

Compliance

The compliance logs contain information about the Enforcer server, Enforcer clients, and Enforcer traffic, and about host compliance.

The following compliance logs are available if you have Symantec Network Access Control installed:

  • Enforcer Server

    This log tracks communication between Enforcers and their management server. Information that is logged includes Enforcer name, when it connects to the management server, the event type, site, and server name.

  • Enforcer Client

    Provides the information on all Enforcer client connections, including peer-to-peer authentication information. Available information includes time, each Enforcer's name, type, site, remote host, and remote MAC address, and whether or not the client was passed, rejected, or authenticated.

  • Enforcer Traffic (Gateway Enforcer only)

    Provides some information about the traffic that moves through an Enforcer appliance. Available information includes the time, the Enforcer name, the Enforcer type, and site. The information also includes the local port that was used, the direction, action, and a count. You can filter on the connection attempts that were allowed or blocked.

  • Host Compliance

    This log tracks the details of Host Integrity checks of clients. Available information includes the time, event type, domain/group, computer, user, operating system, description, and location.

No actions are associated with these logs.

Computer Status

The Computer Status log contains information about the real-time operational status of the client computers in the network.

Available information includes the computer name, IP address, infected status, protection technologies, Auto-Protect status, versions, definitions date, user, last check-in time, policy, group, domain, and restart required status.

You can perform the following actions from the Computer Status log:

  • Scan

    This command launches an Active, Full, or Custom scan. Custom scan options are those that you have set for command scans on the Administrator-defined Scan page. The command uses the settings in the Antivirus and Antispyware Policy that applies to the clients that you selected to scan.

  • Update Content

    This command triggers an update of policies, definitions, and software from the Symantec Endpoint Protection Manager console to the clients in the selected group.

  • Update Content and Scan

    This command triggers an update of the policies, definitions, and software on the clients in the selected group. This command then launches an Active , Full, or Custom scan. Custom scan options are those that you have set for command scans on the Administrator-defined Scan page. The command uses the settings in the Antivirus and Antispyware Policy that applies to the clients that you selected to scan.

  • Cancel All Scans

    This command cancels all running scans and any queued scans on the selected recipients.

  • Restart Client Computers

    This command restarts the computers that you selected. If users are logged on, they are warned about the restart based on the restart options that the administrator configured for that computer. You can configure client restart options on the General Settings tab of the General Settings dialog box on the Policies tab of the Clients page.

  • Enable Auto-Protect

    This command turns Auto-Protect on for all the client computers that you selected.

  • Enable Network Threat Protection

    This command turns on Network Threat Protection for all the client computers that you selected.

  • Disable Network Threat Protection

    This command turns Network Threat Protection off for all the client computers that you selected.

You can also clear the infected status of computers from this log.

Network Threat Protection

The Network Threat Protection logs contain information about attacks on the firewall and on intrusion prevention. Information is available about denial-of-service attacks, port scans, and the changes that were made to executable files. They also contain information about the connections that are made through the firewall (traffic), and the data packets that pass through. These logs also contain some of the operational changes that are made to computers, such as detecting network applications, and configuring software.

The following Network Threat Protection logs are available:

  • Attacks

    Available information includes time, attack type, domain/group, computer, and client user name. Additional information available includes the severity; the direction/protocol; the local host IP/remote host IP, the location; and the number.

  • Traffic

    Available information includes time, event type, action, severity, direction, computer, local host IP/remote host IP, protocol, client user name, and number.

  • Packet

    Available information includes time, event type, action, domain, direction, computer, local host IP, local port, and remote host IP.

No actions are associated with these logs.

TruScan Proactive Threat Scan

The TruScan Proactive Threat Scan log contains information about the threats that have been detected during proactive threat scanning. TruScan proactive threat scans use heuristics to scan for any behavior that is similar to virus and security risk behavior. This method can detect unknown viruses and security risks.

Available information includes items such as the time of occurrence, event actual action, user name, computer/domain, application/application type, count, and file/path.

You can add a detected process to a preexisting Centralized Exceptions Policy from this log.

Risk

The Risk log contains information about risk events. Available information includes the event time, event actual action, user name, computer/domain, risk name/source, count, and file/path.

You can take the following actions from this log:

  • Add Risk to Centralized Exceptions Policy

  • Add File to Centralized Exceptions Policy

  • Add Folder to Centralized Exceptions Policy

  • Add Extension to Centralized Exceptions Policy

  • Delete from Quarantine

Scan

The Scan log contains information about antivirus and antispyware scan activity.

Available information includes items such as the scan start, computer, IP address, status, duration, detections, scanned, omitted, and domain.

No actions are associated with these logs.

System

The system logs contain information about events such as when services start and stop.

The following system logs are available:

  • Administrative

    Available information includes items such as event time and event type; the domain, site, and server involved; severity; administrator; and description.

  • Client-Server Activity

    Available information includes items such as event time and event type; the domain, site, and server involved; client; and user name.

  • Server Activity

    Available information includes items such as event time and event type; the site and server involved; severity; description; and message.

  • Client Activity

    Available information includes items such as event time, event type, event source, domain, description, site, computer, and severity.

  • Enforcer Activity

    Available information includes items such as event time, event type, enforcer name, enforcer type, site, severity, and description.

No actions are associated with these logs.



Legacy ID



349629


Article URL http://www.symantec.com/docs/HOWTO27271


Terms of use for this information are found in Legal Notices