What you can do from the logs

Article:HOWTO81161  |  Created: 2012-10-24  |  Updated: 2014-09-21  |  Article URL http://www.symantec.com/docs/HOWTO81161
Article Type
How To


What you can do from the logs

Logs contain records about client configuration changes, security-related activities, and errors. These records are called events. The logs display these events with any relevant additional information. Security-related activities include information about virus detections, computer status, and the traffic that enters or exits the client computer.

Logs are an important method for tracking each client computer's activity and its interaction with other computers and networks. You can use this data to analyze the overall security status of the network and modify the protection on the client computers. You can track the trends that relate to viruses, security risks, and attacks. If several people use the same computer, you might be able to identify who introduces risks, and help that person to use better precautions.

You can view the log data on the Logs tab of the Monitors page.

The management server regularly uploads the information in the logs from the clients to the management server. You can view this information in the logs or in reports. Because reports are static and do not include as much detail as the logs, you might prefer to monitor the network by using logs.


If you have only Symantec Network Access Control installed, only some of the logs contain data; some logs are empty. The Audit log, Compliance log, Computer Status log, and System log contain data. If you have only Symantec Endpoint Protection installed, the Compliance logs and Enforcer logs are empty but all other logs contain data.

In addition to using the logs to monitor your network, you can take the following actions from various logs:

Table: Log types describes the different types of content that you can view and the actions that you can take from each log.

Table: Log types

Log type

Contents and actions


The Audit log contains information about policy modification activity.

Available information includes the event time and type; the policy modified; the domain, site, and user name involved; and a description.

No actions are associated with this log.

Application and Device Control

The Application Control log and the Device Control log contain information about events where some type of behavior was blocked.

The following Application and Device Control logs are available:

  • Application Control, which includes information about Tamper Protection

  • Device Control

Available information includes the time the event occurred, the action taken, and the domain and computer that were involved. It also includes the user that was involved, the severity, the rule that was involved, the caller process, and the target.

You can create an application control or Tamper Protection exception from the Application Control log.

See Specifying how Symantec Endpoint Protection handles monitored applications on Windows clients.


The compliance logs contain information about client Host Integrity.

The compliance logs also provide information about the Enforcer server, Enforcer clients, and Enforcer traffic.

No actions are associated with these logs.

Computer Status

The Computer Status log contains information about the real-time operational status of the client computers in the network.

Available information includes the computer name, IP address, infected status, protection technologies, Auto-Protect status, versions, and definitions date. It also includes the user, last check-in time, policy, group, domain, and restart required status.

You can also clear the infected status of computers from this log.


This log contains information that is collected from both Windows clients and Mac clients.

Network Threat Protection

The Network Threat Protection logs contain information about attacks on the firewall and on intrusion prevention. Information is available about denial-of-service attacks, port scans, and the changes that were made to executable files. They also contain information about the connections that are made through the firewall (traffic), and the data packets that pass through. These logs also contain some of the operational changes that are made to computers, such as detecting network applications, and configuring software.

No actions are associated with these logs.


The SONAR log contains information about the threats that have been detected during SONAR threat scanning. These are real-time scans that detect potentially malicious applications when they run on your client computers.

The information includes items such as the time of occurrence, event actual action, user name, Web domain, application, application type, file, and path.

If you have 11.0 clients in your network, the SONAR log can also contain information from legacy TruScan proactive threat scans.

See About SONAR.


The Risk log contains information about risk events. Available information includes the event time, event actual action, user name, computer, and domain, risk name and source, count, and file and path.


The Scan log contains information about virus and spyware scan activity from both Windows clients and Mac clients.

Available information includes items such as the scan start, computer, IP address, status, duration, detections, scanned, omitted, and domain.

No actions are associated with these logs.


The system logs contain information about events such as when services start and stop.

No actions are associated with these logs.

Legacy ID


Article URL http://www.symantec.com/docs/HOWTO81161

Terms of use for this information are found in Legal Notices