Transfer historical log data from Symantec AntiVirus 10.1 to Symantec Endpoint Protection Manager
|Article:TECH105178|||||Created: 2008-01-18|||||Updated: 2012-05-02|||||Article URL http://www.symantec.com/docs/TECH105178|
I want to configure SAV 10.1 to send historical and new log information to the Symantec Endpoint Protection Manager (SEPM) instead of to the SAV 10.1 Reporting Server.
Edit the Reporting Agent on the SAV Server to point to the SEPM:
IMPORTANT: Since the release of SEP MR3, the software no longer defaults to port 80 for communications to SEPM. You may have to configure your Reporting Agents (via the SSC) to point to the new manager on the specific IIS port used for the site (the default is 8014) For example:
1. In Symantec System Center (SSC) under Reporting, right-click on Reporting Servers and choose New.
2. Type in the Hostname or IP Address of the machine running SEPM.
3. In SSC, right-click on the SAV Server Group and go to All Tasks/ Reporting Configuration / Reporting Server and choose the SEPM machine from the drop-down list, then click OK.
To set SEPM to accept legacy log information:
1. In SEPM go into the Home Tab and click on Preferences (in Security Status section).
2. In the Preferences dialog click on Logs and Reports.
3. In the Legacy Support section, check the checkbox for Upload Symantec Antivirus version 10.x log files then click OK.
On the machine with the Reporting Agent, delete or rename the file: C:\Program Files\Common Files\Symantec Shared\Reporting Agents\Win32\logsender5.stat.
The log files in the SAV Server's 7.5 folder will be reprocessed and sent to the Endpoint Protection Manager database.
This could also work for when you redirect a Server Group to point to a different Reporting Server and want to get the historical data re forwarded.
WIndows 2008 and above have built-in firewalls that will need to be addressed to let the traffic through. LogSender on the SAV Server side first attempts to ping the IP of the SEPM and if the firewall is enabled (by default) it will not respond to the ping. This will cause the LogSender to fail.
The SEP 12.1 SEPM is also capable of receiving logs from SAV 10.1 and from SAV for Linux (SAVFL). For details, please see How to enable the 12.1 Symantec Endpoint Protection Manager (SEPM) to receive logging from legacy clients.
Article URL http://www.symantec.com/docs/TECH105178