Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

How to analyze Debug logs from GUP to determine which clients are taking definitions from GUP

Created: 16 Dec 2009 • Updated: 16 Dec 2009 | 15 comments
Language Translations
Aniket Amdekar's picture
+17 17 Votes
Login to vote

One of the most effective ways to determine if a client is taking definitions from the GUP is to analyze the debug logs taken from the GUP. When you enable debug logging on a client, debug.log is created in the SEP installation folder.

The plugin that takes care of GUP is called GUProxy. When you open the debug.log, you can look for GUProxy in the log.

You can locate the event sequence for clients requesting definitions from GUP. You will also notice that the clients will send separate requests for every URL they need to download. You can determine which clients are taking definitions from GUP. If you have a lot of clients taking definitions from a GUP, you can increase the size of the log file to accomodate the increased amount of information.

increase debug size.JPG

Following are the events that are happening at the client:

1. Client contacts SEPM to get the latest content. Receives the latest index file.

2. From index file, it comes to know that the definitions are different from the manager. So it will send a request to create delta definitions.

3. After receiving this request, SEPM will start preparing the delta definitions.

4. When SEPM completes the delta creation, it will make those deltas available in IIS [ SEPM\Inetpub\content\ ] folder.

5. SEPM will send the download URL for this delta to the client.

6. Now, the client will contact the GUP configured to provide that delta. It also sends the URL for delta definition.

 

GUProxy: accepted socket 1820 for 10.26.16.74 port 3157 
GUPROXY - GUProxy HTTP in - GET /content/{C60DC234-65F9-4674-94AE-2158EFCA433}/91206022/xdelta912
GUPROXY - GUProxy File - /content/{C60DC234-65F9-4674-94AE-62158EFCA433}/91206022/xdelta91205021.dax
GUPROXY - GUProxy mangled file - #content#{C60DC234-65F9-4674-94AE-62158EFCA433}#91206022#xdelta91205021!dax
GUProxy - Add request into download queue.

7. GUP realizes that it does not have that delta, so, it uses the same URL, and downloads the delta in its own cache.


  - #content#{C60DC234-65F9-4674-94AE-62158EFCA433}#91206022#xdelta91205021!dax 

GUPROXY - GUProxy - Contacting the SEPM server at - cwndcw01.reynoldspkg.rpg.local

GUProxy - SO_RCVBUF is [8192]

GUPROXY - GUProxy Response - HTTP/1.1 200 OKContent-Length: 142197Content-Type: application/x-S

GUProxy - Recving content of [0X00022893] Bytes

GUProxy recved content of [0X00022893] Bytes in [2] seconds, speed is about [0X00011449] BPS or [0X00000235] kbps
 

8. When GUP finishes downloading the definitions from SEPM, it will save it in the cache and send it to the client.

GUProxy content cached - sending to client

GUProxy send content to the client all right

You can notice that in this snippet, the request was sent for  [C60DC234-65F9-4674-94AE-62158EFCA433] which is the moniker for 32 Bit Antivirus Definitions

Following is a snippet of log where you can notice that GUP determines that the requested content is present in the cache and uses the same to serve the request from the client:

12/07 19:13:03 [1804:2992] GUProxy: accepted socket 1756 for 10.26.16.48 port 3026

12/07 19:13:03 [1804:2144] GUProxy: Begin to handle accepted socket 1756

12/07 19:13:03 [1804:2144] GUPROXY - GUProxy HTTP in - GET /content/{812CD25E-1049-4086-9DDD-A4FAE649FBDF}/91204018/Full.zip

12/07 19:13:03 [1804:2144] GUPROXY - GUProxy File - /content/{812CD25E-1049-4086-9DDD-A4FAE649FBDF}/91204018/Full.zip

12/07 19:13:03 [1804:2144] GUProxy content cached - sending to client

12/07 19:13:03 [1804:2144] GUProxy send content to the client all right.
 

You can notice that in this snippet, the request was sent for  [812CD25E-1049-4086-9DDD-A4FAE649FBDF] which is the moniker for Symantec Security Content A1 - MicroDefsB.CurDefs

Comments 15 CommentsJump to latest comment

Vikram Kumar-SAV to SEP's picture

Nice Article Aniket... 

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

0
Login to vote
Naor Penso's picture

Very Helpful,
Thanks a lot.

For Forum threads, please click "Mark as Solution" if answered.
For all content, please give a thumbs up if you agree with or support the post.
Thanks :)

0
Login to vote
AravindKM's picture

Nice information. 

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

0
Login to vote
Vinlevi's picture

Hi Aniket,

My question is related to GUP.

Assuming one machine is designated as an GUP, it is obvious that GUP takes the update from SEPM.

Scenario
=======
On my SEPM the liveupdate policy is defined as taking from "Management server" as well as "symantec live update server".

If the client fails to connect to the Managment server it can take live updates from the internet ie: symantec liveupdate server.

Now this policy is applied to GUP as well, as GUP is alos consider as client to SEPM (correct me if i am wrong). so if GUP fails to download content from management server, it should take the update from the internet.

My direct question is can GUP take updates from the internet if for some reason it cannot connect to the Managment server.

Regards,
Lewis

0
Login to vote
Aniket Amdekar's picture

Hi,

GUP can download definitions for the clients only from the SEPM. It can update itself from internet, but, it can not share those updates downloaded from the internet with the cients.

Here's what I understand about the procedure for the GUPs to take the definitions:

1. Client contacts SEPM to get the latest content. Receives the latest index file.
2. From index file, it comes to know that the definitions are different from the manager. So it will send a request to create delta definitions.
3. After receiving this request, SEPM will start preparing the delta definitions.
4. When SEPM completes the delta creation, it will make those deltas available in IIS [ Inetpub\content\ ] folder.
5. SEPM will send the URL for this delta to the client.
6. Now, the client will contact the GUP configured to provide that delta. It also sends the URL for delta definition.
7. GUP realizes that it does not have that delta, so, it uses the same URL, and downloads the delta in its own cache.
8. As the delta is available at GUP, client will receive from the GUP.

So, to answer your question, a GUP will have the definitions from SEPM, only when it receives a definition request from a client.

Which GUP to  select, has been discussed in the earlier comments.

Let us know if you have any questions. This discussion is really getting interesting as we are discussing all the details about the GUP configuration.

Here are a few articles that can help you out:

https://www-secure.symantec.com/connect/articles/c...

https://www-secure.symantec.com/connect/articles/w...

https://www-secure.symantec.com/connect/videos/gro...

https://www-secure.symantec.com/connect/videos/gro...

Best,
Aniket

0
Login to vote
Vinlevi's picture

hi Aniket,

This is my first post, not sure whether i have posted in the right area.

Regards.
Lewis

0
Login to vote
NickB's picture

I have been working with Symantec AV and SEP for a number of years and am responsible for troubleshooting all problems in my organization (15,000+ clients).

I recently had an issue with clients receiving updates from my GUP. I woukld like to offer further information on the process. I would like to note I am using location awareness.

It seems that the the client that is designated as a GUP has a separate commumication process with the management server in order to receive the updates that it will provide for its clients. And without getting too technical, after analyzing the 2 debug files I activated, this is what I found.

The GUP client portion is totally clueless that it is in fact a GUP, it will go through the same process of locating a GUP and/or management server just like every other client (non-GUP).

The GUP itself will communicate with the assigned GUP (itself) through the IP address for itself. Unaware that it is actually communicating with itself (the GUP).

Interesting is the fact that these two functions are totally independent. And when you first designate a client as a GUP, while reviewing the 2 debug files (1 for the GUP, 1 for the client), you will see the GUP initialize and create the approprite folders and request and download the updates from the mangement server.

Then you will see the GUP client request and download the updates from the GUP (the same client - itself).

Without adding too much technical detail, I hope this is helpful.

Nick

+2
Login to vote
Ian_C.'s picture

NickB, you are correct.

The SEP client loads the GUP component, but they act independantly of each other. That is also why sometimes the GUP will distribute updated content, yet the SEP client on the same machine will be out of date.

Thanks for posting this so clearly

Please mark the post that best solves your problem as the answer to this thread.
0
Login to vote
Nilesh Bhosale's picture

if client is off for 1 month period, will it request full update or delta update ??

Does it get the required update from GUP or SEPM manager server ???/

0
Login to vote
pete_4u2002's picture

if client is off for 1 month period, will it request full update or delta update ??

it depends on the SEPM content revisions, whether SEPm will be able to provide delta to GUP/Client

Does it get the required update from GUP or SEPM manager server ???/

it depends on the LU configuration from client, if you have set client to get updates from GUP and not from SEPM, the content will be downloaded from GUP

0
Login to vote
Nilesh Bhosale's picture

if client is off for 1 month period, will it request full update or delta update ??

it depends on the SEPM content revisions, whether SEPm will be able to provide delta to GUP/Client

  >>>  content revisions are limites to 25. Then what will happen ??

Does it get the required update from GUP or SEPM manager server ???/

it depends on the LU configuration from client, if you have set client to get updates from GUP and not from SEPM, the content will be downloaded from GUP

>>> clients are configured to GUP with bypass period of 1 hour.

0
Login to vote
pete_4u2002's picture

>>> content revisions are limites to 25. Then what will happen ??

that means SEPM can generate delta for clients which are outdated for ~9 days ( 9 days and 3 revison hence 27 revison for delta generation)  

clients are configured to GUP with bypass period of 1 hour.

if the clients cannot communicate with the GUP then it will go tto SEPM for updates.

+2
Login to vote
Richardkiddo's picture

Hi Aniket,

I just enabled the the debug in sep -help and  support-debuglogs-edit log and log caputred in C:\program files\symantec\symantec end point protetcion. I viewed the logs but its different and the logs which u attached is different can u explain how to find the same log in GUP server it will be very helpful for me thanks.

0
Login to vote