Video Screencast Help
Security Community Blog

GUP Traffic Summary

Created: 02 Jul 2010 • Updated: 06 Jul 2010 • 4 comments
Khue's picture
0 0 Votes
Login to vote

So I was talking to GrahamA, the guy responsible for the SEP - Content Distribution Monitor, and I started asking some questions after looking at the tool. By the way, if you are using GUPs (Group Update Providers) in your SEP environment I would highly recommend looking into the tool found here. It fills in some holes that SEPM doesn't cover out of the box. After going through the IIS log files that get created, I realized that there is a goldmine of information available. I talked to GrahamA and expressed some wants out of the little app and even took some time to bang out a little vb script that I thought would be a nice to have. 

One of the questions I had was, how much traffic exactly are my GUPs consuming? This is important for me to know because of my network structure. My GUPs sit at the far side of a slow WAN link. Having the GUPs saves me bandwidth, but how much bandwidth exactly is being consumed? If you look at the IIS logs that get generated you can clearly see that the GUPs download content from the SEPM and you may also notice, that the ip addresses managed by the GUPs never appear in the IIS logs. So after realizing this, I thought it would be useful to develop this little script that would give me a basic idea of what the Update Providers are doing.

The script attached prompts for a file location of the log you would like to parse. If you followed GrahamA's instructions to the T, your logs roll over at the beginning of each day. Therefore, if you point this script at one of the logs, you would be able to get an idea of what the GUPs have done over that day. The second thing the script prompts you for is an IP address. A couple cool (and unintended) things about this part. My original plan was to input the IP of the GUP and have it simply sum up the traffic for that device, which the script will do. One of the unintended things that the script can do, is sum traffic on a particular subnet. For example, I know that if I type in 192.168.1.2, I will sum all traffic generated by that GUP. However, I fat fingered this once and typed 192.168 and quickly realized that I can get a quick report for the entire 192.168.0.0 subnet.

Anyway, I expressed the want for this script to be somehow built into the CDM app. I even created a method for the script to pull specific ip's out of Globallist.xml, the reference file for all ip addresses of GUPs, and report on all individual GUP activity. I thought I'd share this with the community for now just for fun.

*This is provided as is. As usual be careful with all things downloaded and are not fully endorsed by Symantec. This is however, just a log parser and should do no harm as it just simply reads logfiles.

Comments 4 CommentsJump to latest comment

GrahamA's picture

I had that sort of functionality (bandwidth counter) in the code already in the background. I've now integrated it into the monitor (v3.1 posted) so the results are clear to the user and when you search for an IP or network, you also get details on the bandwidth used by the matching group of IPs.

I'm now working on adding the functionality whereby the tool can distinguish between clients and GUPs (using the sample code you very kindly provided).

Thx again for your help with that!

Keep the ideas coming :-) At this stage there are 2 features in the tool which have either been submitted by people in the community. I encourage anyone to get involved! Right-click on the tool user interface, and select 'view source'. If you are familiar with VBscript, feel free to contribute!

GrahamA Product Management, Symantec Security Solutions

+1
Login to vote
Adamster's picture

what would the log file location for apache?

-1
Login to vote
Adamster's picture

never mind, got it

C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\logs\access.log

-3
Login to vote
Adamster's picture

I am trying to use the traffic Monitor .vbs script from the forum below on a 2012 server with sepm ru 2 running.  My goal is to find out how much bandwidth SEPM is using while transferring to the GUP, by defaul it should be 256kbps that is configured through my policy in SEPM.  I am trying to see this in real time, that is where I think this script might help.

However, when I run the script and give it the apache access log location C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\logs\access.log and then for IP address, I put in the IP address that I know infact is in the access.log, when I do this I get an error from Windows Script Host pointing to line 23 character 11, error: Type mismatch : 'clng'

Do you have any advise on this?

 

+3
Login to vote