Video Screencast Help

SEP Content Distribution Monitor (for GUP health-checking)

Created: 14 Jun 2010 • Updated: 25 Jul 2011 | 328 comments
GrahamA's picture
+50 50 Votes
Login to vote

UPDATED: New version now available that is compatible with SEP 12.1

After hearing customers mention they could benefit from increased visibility over the Group Update Providers that are active in their environment, as they are a critical part of their content infrastructure, the Symantec SEP product team have created a small utility to help customers address this need.

Its a v lightweight utility that must be run directly on a SEPM machine and will provide customers with a quick glance dashboard.

Warning: This is not an officially supported tool so it is use at own risk. That said, it is reading from the various data sources it accesses, not writing to them, so use of the tool is typically low risk, and customers that have used it so far have reported no negative side-effects.
Best Regards,
GrahamA.
 
Product Management
Symantec Corporation

Comments 328 CommentsJump to latest comment

EricT's picture

I would assume that as long as the user who is non admin has the proper rights to the bat file and proper Java permissions it should be fine. Really its just a Batch file that runs a Java front end that is querying into the SEPM DB.

0
Login to vote
dimago's picture

Anyone to help in my question above?

0
Login to vote
Stefan-DE's picture

No clue. 

Rights are not mentioned in the "Help" (Button) in the SEPM Monitor

0
Login to vote
EricT's picture

GrahmA this is a great tool I have bene using since 11.6.2 and with our GUps numbers gorwing its a tool I find I can't live without anymore. 

Just an idea but could you PLEASE make a version of this tool in a way that is self running as long as you make an ODBC connnection to the SQL for the 12.1?

Our setup is 2 SEPMs both on the same subnet as the SQL box they are linked to. We are not using the SEP internal SQL but SQL 2005 update 4.

We have an issue where the SEPMs we have up have a memory leak and are using up all 4 gigs as soon as the SEPMs come online. This has made this GUP Monitoring tool unuseable in our environment because of the java switchover and the memory it uses. Creating a tool that can be ran on a non SEPM machine as long as you have the proper credentials to the SQL would greatly help us with ensureing the GUPs are working as they should be to ensure we have offloaded as much of the defintion processing as possible to our heavily GUP laden environment.

Just a thought if you could look into this would be great.

0
Login to vote
Reek-Havoc's picture

HI,

Started using the tool a couple of weeks ago.  Nice concept!  We have 3 GUP's but only one ever seems to show up in the monitor?  I have triple checked my settings and the systems individually all seem to work as GUP in that they respond to telnet port 2967 and have the shared update folders?   How can I troubleshoot to get the rest of my GUP's to show up in the monitor???

Thanks very much for any help!

 

Reek

 

0
Login to vote
Shah_M's picture

Hi,

 

Where can i get the recent version of this tool. I find only the beta version. could some one provide me the link for the recent version for 11.X and 12.X  and steps how to use it.

0
Login to vote
megamanVI's picture

It doesn't look like this tool is being worked on anymore.

0
Login to vote
ScottM 2's picture

Does seem like it has been abandoned. I know it has been suggested that this level of detail get rolled into the SEPM in the future but probably not till a major rev at this rate.

0
Login to vote
LucianoPS's picture

Hello everyone.

I am using the SEP12.1.RU3 installed on windows server 2012 and can not run this application.

The SEPM is installed in the folder "D: \ Program Files (x86) \ Symantec \ Symantec Endpoint Protection Manager"

I copy the files to the folder "tool", change the httpd.conf file but always the same problem occurs as shown below.

=============================================================

java.io.IOException: Couldn't get lock for D:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools\..\tomcat\logs\scm-server-%g.log
        at java.util.logging.FileHandler.openFiles(FileHandler.java:389)
        at java.util.logging.FileHandler.<init>(FileHandler.java:323)
        at com.sygate.scm.server.util.ServerLogger.<clinit>(ServerLogger.java:125)
        at com.sygate.scm.tools.monitor.SepmMonitor.initLogger(SepmMonitor.java:415)
        at com.sygate.scm.tools.monitor.SepmMonitor.main(SepmMonitor.java:318)
Exception in thread "main" com.sygate.scm.server.util.ScmServerError: java.io.IO
Exception: Couldn't get lock for D:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools\..\tomcat\logs\scm-server-%g.log
        at com.sygate.scm.server.util.ServerLogger.<clinit>(ServerLogger.java:170)
        at com.sygate.scm.tools.monitor.SepmMonitor.initLogger(SepmMonitor.java:415)
        at com.sygate.scm.tools.monitor.SepmMonitor.main(SepmMonitor.java:318)
Caused by: java.io.IOException: Couldn't get lock for D:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools\..\tomcat\logs\scm-server-%g.log
        at java.util.logging.FileHandler.openFiles(FileHandler.java:389)
        at java.util.logging.FileHandler.<init>(FileHandler.java:323)
        at com.sygate.scm.server.util.ServerLogger.<clinit>(ServerLogger.java:125)
        ... 2 more

=============================================================

Any Help?

Luciano Santos

0
Login to vote
bsjj27's picture

I have a few GUP questions hopefully someone can answer me.  When ever I open tickets with Symantec support the techs are always not familar with GUPS.  I have 12.1 rolled out through out my enterprise.  I'm trying my best to keep the chatter between the manager and the clients to a minimum.  I have roughly 100 branches.  Each branch has a branch server, either Win 2008 or Win 2003.  On the branch servers i only install the AV piece of SEP.  On the workstations I have the full SEP client, AV, PTP, and NTP.  Will the branch servers which are GUPS for the office still download the definitions for PTP and NTP to pass out to the clients on the network even though it doesn't have those features installed?  

Another question is we monitor network bandwith through Netflow data, I will at many points through the day see large transfers between the SEPM and clients how can I figure out what it is transfering.  What port to definition file downloads operate over port 8014?  

Any help would really be appreciated.

 

 

0
Login to vote
_Brian's picture

Yes, the GUP will distribute content for all components regardless of what components it has installed.

The clients communicate with the SEPM over 8014.

Clients communicate with the GUPs over 2967.

You would need to use a sniffer such as wireshark to see exactly what is transferring.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

0
Login to vote
bsjj27's picture

I appreicate the quick response, I'm actually working on a client now that is downloading its definitions from the manager instead of it's GUP.  I checked the GUP has the latest defs and in the SEPM is shows as a GUP.  In the system logs on the client i see in the log it has an error that stats "Failed to connect to all GUPS, now trying to connect to SEPM"  Any ideas how I can continue to troubleshoot this?  

Also how long back does the GUPS hold defs for?  Only reason I ask is these new PC's were installing, the virus defs in the image are back from september, could they be connecting to the gup and the gup is saying you virus defs are too old so go to the sepm?

0
Login to vote
_Brian's picture

You can check this link on troubleshooting GUP communication:

http://www.symantec.com/docs/TECH104539

 

Yes, it will need to grab the full update. It depends on how many revisions you configured the GUP to hold.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

0
Login to vote
bsjj27's picture

Where do i specify how many revisions the GUP can hold?  I only see GUP options in the policy, options are port, max disk cache, delete content updates if unused, max number of simultaneous downloads to clients and max bandwidth.

0
Login to vote
_Brian's picture

Delete content updates if unused

Set it any number of days you want.

Mon-Fri there are typically 3 revisions per day so 5 days, 3 revisions = 15 total revisions

Sat-Sun is 1 revision per day so 2 total revisions for these days and 17 overall over the course of 7 days.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

0
Login to vote
bsjj27's picture

if these images haven't been updated in 40 weeks so would I need to set this to 600?  40 weeks x 15 total revisions.

0
Login to vote
_Brian's picture

Yea but you would first need to set the SEPM to hold that many updates. I can't even imagine how many GBs of data this would consume on your hard drive.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

0
Login to vote
bsjj27's picture

i was thinking the same thing, so either way even if my gups are functioning properly these clients are going to have to connect back to the manager for updates the first time because the manager won't hold updates that far back?

0
Login to vote
_Brian's picture

For the setting "Max tim that clients try to download updates from a GUP before trying the default management server" set it to Never

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

0
Login to vote
bsjj27's picture

Thats part of the issue, i do have that set to never but still have a lot of the clients connecting back to the management server for updates.  When i originally set it up i had it set to two hours and my network links were getting killed with clients coming back to the manager so i set it to never, the traffic definitely decreased but still have a lot coming back to the manager.  I'm trying to turn on syling debugging now to see hopefully more info.

0
Login to vote
_Brian's picture

Sylink debugging will show the communication so let that run for awhile.

You can also do a wireshark trace.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

0
Login to vote
bsjj27's picture

is there a way that I can force the client to attempt to connect to the gup, so I can force traffic so I don't need to wait.  Update policy now will only force a connection to the sepm won't it?

0
Login to vote
_Brian's picture

Correct. there is no way to force a check in with the GUP.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

0
Login to vote
bsjj27's picture

ok i'll run a wireshark for tcp port 2967 also while i got you, don't know if you can help me hear but i installed the Content Dist Monitor, GUP health monitor.  Very cool tool so far but I notice the Virus/Spyware content downloads today from SEPM doesn't appear to be working.  It shows 0 for everything when I know thats wrong, ever seen that before?

0
Login to vote
_Brian's picture

When was the last time it was refreshed. I believe the default is an hour?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

0
Login to vote
adutchman's picture

We have 35,000+ clients in our environment.  Two management server and about 400 GUPs.  The system works great and keeps bandwidth usage to a minimum.  Not sure if how we did it is the best way, but it works for our environemnt.

We have a Location created for each physical site with a matching LiveUpdate policy.  For sites that don't have a local GUP, the clients get the default location and get their updates from a GUP in our data center.

Each LiveUpdate policy is configured the same and is using the option for Single Group Update Provider IP address or host name.  Maximum time that clients try to download updates from a GUP before trying the default management server is set to NEVER.

The GUP settings for each one follows:

Default port: 2967
Maximum disk cache size allowed for downloading updates (MB): 4,000
Delete content updates if unused (days): 30 * that is the maximum value.
Maximum number of simultaneous downloads to clients: 30
Maximum bandwidth allowed for Group Update Provider downloads from the management server: 192 Kbps

See my next post for some troubleshooting tips.

0
Login to vote
bsjj27's picture

i've had it up for about 6 hours now and it refreshes every 10 minutes

Also seeing this in the status, don't no if its related

07/11/2013 14:38:47 There are no access-2013-07-11.log / error-2013-07-11.log files in the folder E:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\logs

0
Login to vote
adutchman's picture

You will have to modify the config file for the apache server to enable logging.

Steps to enable Apache Logs on each SEPM server:

  1. Access SEP_INSTALL\apache\conf folder and take backup of httpd.conf file
  2. In httpd.conf file, enable access and error logging. Also set LogLevel to info.

    Error log: Uncomment #ErrorLog "|| bin/rotatelogs.exe logs/error-%Z.log 100M", change log file name format and log rotation to 24 hours. Modified line should be ErrorLog "|| bin/rotatelogs.exe logs/error-%Y-%m-%d.log 86400"

    Access log: Uncomment #CustomLog "|| bin/rotatelogs.exe logs/access-%Z.log 100M" combined, change log file name format and log rotation to 24 hours. Modified line should be CustomLog "|| bin/rotatelogs.exe logs/access-%Y-%m-%d.log 86400" combined

    LogLevel: Change LogLevel from warn to info. Modified line should be LogLevel info

  3. Restart the Apache (net stop semwebsrv and net start semsrv)

Note: Apache doesn't purge the old logs. Admin needs to delete the old logs on each server (Can come up with a script to delete).

0
Login to vote
adutchman's picture

Some client to GUP troubleshooting tips:

1st verify that your client can communicate with the GUP.  From the workstation, open your browser and enter the following URL:

http://GUP_IP_ADDRESS:2967/content/ContentInfo.txt

Note that you should use the IP address of the local GUP and the port number you configured in the LiveUpdate policy.

Here is a link to a Symantec KB Article that has instructions on how to confirm if SEP Clients are receiving LiveUpdate content from Group Update Providers.  This involves Sylink debugging.

http://www.symantec.com/docs/TECH97190

Also, you can't force communications with a GUP directly, but you can force the client's heartbeat session with the management server, which in turn should trigger communications with the GUP.

Either open a command window and run SMC.exe -updateconfig or launch the client, click on Help at the top right and choose "Troubleshooting" and click on the Update button under Policy Profile.

 

0
Login to vote
bsjj27's picture

Adutchman

I was able to hit this successfully http://GUP_IP_ADDRESS:2967/content/ContentInfo.txt

I'm running wireshark on a client with this filter tcp.dstport==2967

I've restarted the services and forced a policy update, haven't seen any activity on that port yet. 

I edited my conf file and am seeing no errors now but it's still showing that on one has updated content from SEPM which is stange.

 

0
Login to vote
adutchman's picture

Here a link to Symantec KB Article that is dedicated to Sylink Debugging...

http://www.symantec.com/docs/TECH102412

Read this KB article and the link I posted before and it should help you figure out what's going on.  Sylink Debugging is going to be your best chance of figuring out what's going on.

0
Login to vote
bsjj27's picture

Thanks i'll try this and see what i can find, just have to be able to jump on a pc at the right time and have it running while its trying to update, it would be alot easier if i could force it to update.

0
Login to vote
bsjj27's picture

Has anyone see their CPU spike and stay at 100% when running the GUP monitor tool.  I like to keep it running all day long to monitor my GUPS but its killing the CPU on my SEPM.

0
Login to vote
adutchman's picture

My CPU spiked at 40% while the GUP monitor tool was starting up.  With the tool up and running, the CPU is fluctuating between 3% and 8%.  It occaisionally spikes to around 30% but only briefly.

0
Login to vote
ScottM 2's picture

Has anyone tried using this to monitor logs on more than one SEPM at the same time?

I do hope this is built into the SEMP at some point, I'd like the extra visibility on what my clients are doing.

0
Login to vote
dimago's picture

Hello all..

 

Can anyone help me with that error below? Im running 12.1.3

 

error when lock the file...

 

I notice that I cant edit a file and save it, like SepMonitor.bat... I need to save in another location, and after copy it to Tools folder and Windows ask me about privileges, so I confirm and done

 

But Im local and domain admin.. I took ownership from the driver D:

 

I think that it is my problem... any idea how to resolve it?

 

java.io.IOException: Couldn't get lock for D:\Symantec Endpoint Protection Manag
er\Tools\..\tomcat\logs\scm-server-%g.log
        at java.util.logging.FileHandler.openFiles(FileHandler.java:389)
        at java.util.logging.FileHandler.<init>(FileHandler.java:323)
        at com.sygate.scm.server.util.ServerLogger.<clinit>(ServerLogger.java:12
5)
        at com.sygate.scm.tools.monitor.SepmMonitor.initLogger(SepmMonitor.java:
415)

        at com.sygate.scm.tools.monitor.SepmMonitor.main(SepmMonitor.java:318)
Exception in thread "main" com.sygate.scm.server.util.ScmServerError: java.io.IO
Exception: Couldn't get lock for D:\Symantec Endpoint Protection Manager\Tools\.
.\tomcat\logs\scm-server-%g.log
        at com.sygate.scm.server.util.ServerLogger.<clinit>(ServerLogger.java:17
0)
        at com.sygate.scm.tools.monitor.SepmMonitor.initLogger(SepmMonitor.java:
415)
        at com.sygate.scm.tools.monitor.SepmMonitor.main(SepmMonitor.java:318)
Caused by: java.io.IOException: Couldn't get lock for D:\Symantec Endpoint Prote
ction Manager\Tools\..\tomcat\logs\scm-server-%g.log
        at java.util.logging.FileHandler.openFiles(FileHandler.java:389)
        at java.util.logging.FileHandler.<init>(FileHandler.java:323)
        at com.sygate.scm.server.util.ServerLogger.<clinit>(ServerLogger.java:12
5)
        ... 2 more
Press any key to continue . . .

 

 

Thanks anyway

0
Login to vote
adutchman's picture

I had the same problem after I upgraded my management servers from SEP 12.1 RU1 to SEP 12.1 RU3. 

I ended up makeing a backup copy of the entire log folder. Then I deleted the files listed that the could not get locked.

Why is it that anytime someone can't access a file they try to take ownership of an entire drive?

 

0
Login to vote
dimago's picture

It was a problem with file and folder security!

 

solved. Thanks

0
Login to vote
LucianoPS's picture

dimago, i´m have the same problem with 12.1.3.

how do you solve this problem?

Luciano

0
Login to vote
MaRRuT@CC's picture

@Graham:

Any chance to see this tool or tool functionality included in further releases of SEP?

0
Login to vote
TallTomD's picture

Just installed the tool and after some configuration effort I got it working.

 

However, every time I launch the tool I get this error:

GUPMonitorError_0.GIF

 

As you can see there are no spaces in my path name.  I just hit Yes and it seems to work OK.

 

Also, I was wondering about the files included in the tool for 12.1.  There are no instructions on how to use them.  Can somebody explain how to use the files in the tool for 12.1?

 

Thanks,

Tom

0
Login to vote
MaRRuT@CC's picture

Any chance to have this tool added to SEPM soon? The tools seems to be dead, no updates for years right now...

0
Login to vote
ThaveshinP's picture

Guess only be included (hopefully) in SEP 13.

0
Login to vote
Brent.Noble's picture

Managed to get this working recently with 12.1.3 after some messing around.

As mentioned, extract the files to the tools folder, then follow these steps:

Steps to enable Apache Logs on each SEPM server:

  1. Access SEP_INSTALL\apache\conf folder and take backup of httpd.conf file
  2. In httpd.conf file, enable access and error logging. Also set LogLevel to info.

    Error log: Uncomment #ErrorLog "|| bin/rotatelogs.exe logs/error-%Z.log 100M", change log file name format and log rotation to 24 hours.
    Modified line should be ErrorLog "|| bin/rotatelogs.exe logs/error-%Y-%m-%d.log 86400"

    Access log: Uncomment #CustomLog "|| bin/rotatelogs.exe logs/access-%Z.log 100M" combined, change log file name format and log rotation to 24 hours.
    Modified line should be CustomLog "|| bin/rotatelogs.exe logs/access-%Y-%m-%d.log 86400" combined

    LogLevel: Change LogLevel from warn to info.
    Modified line should be LogLevel info

  3. Restart the Apache (net stop semwebsrv and net start semsrv)

To get it working on a Server 2008 R2 server with UAC enabled I had to create a new enviornment variable and modify SepmMonitorTool.bat to use my environment variable instead of %CD%.

Works fine now.

Brent

0
Login to vote
ThaveshinP's picture

Has anyone managed to get it working on SEP 12 RU4 ? 

0
Login to vote
novice_sep's picture

Yes, its working on RU4 . We are using it.

0
Login to vote
ThaveshinP's picture

What are the installation steps please? What do I need to do to get this working. I have the beta_v3 folder with the 3 files inside it....

0
Login to vote
_Brian's picture

add the 3 file to the Tools directory under the SEPM folder and run the .bat file to open the GUP monitor

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

0
Login to vote
ThaveshinP's picture

Copied the files and ran the .bat file as administrator - nothing happens -??? 

0
Login to vote
_Brian's picture

Did you turn off enhanced security in IE?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

0
Login to vote
ThaveshinP's picture

Got it to work eventually.

0
Login to vote
Jeshrel Cyril's picture

Hi,

 

Is there a new version of SEPM Content Dist Monitor for 12.1, if so how and where do i download it from

 

0
Login to vote
GeoGeo's picture

UPDATED: New version now available that is compatible with SEP 12.1

After hearing customers mention they could benefit from increased visibility over the Group Update Providers that are active in their environment, as they are a critical part of their content infrastructure, the Symantec SEP product team have created a small utility to help customers address this need.

Its a v lightweight utility that must be run directly on a SEPM machine and will provide customers with a quick glance dashboard.

Warning: This is not an officially supported tool so it is use at own risk. That said, it is reading from the various data sources it accesses, not writing to them, so use of the tool is typically low risk, and customers that have used it so far have reported no negative side-effects.
Best Regards,
GrahamA.
 
Product Management
Symantec Corporation

 

Please review ideas and vote there could be something useful :)

https://www-secure.symantec.com/connect/security/ideas

 

0
Login to vote
adutchman's picture

Wow, I subscribe to this threat and I just received an e-mail that led me to believe that there was an update to the SEP Content Distribution Monitor for SEP 12.1.

To my chagrin, I discovered that GeoGeo just reposted the original post published by the tool's author, GrahamA.

What a let down!

 

0
Login to vote
GeoGeo's picture

Well I'm using that current version on SEPM 12.1 RU4a and it's working fine. What update are you looking for? it's a 3rd party unsupported tool. 

Please review ideas and vote there could be something useful :)

https://www-secure.symantec.com/connect/security/ideas

 

0
Login to vote
adutchman's picture

I am using that version as well, however there seems to be a bug when reading the access logs to calcualte the amount of content data transferred from the SEPM

I posted this on Jul 03, 2012 here ...

https://www-secure.symantec.com/connect/downloads/...

I was hoping that the issue was addressed with an update.

I did come up with a work around but it's a pain.  I created a folder to store the access logs in and manually copy them to it.  Then I pointed the tool to that folder.

 

 

 

 

 

+1
Login to vote
Jeshrel Cyril's picture

Thank you for your answers,

 

Can we intergrate multiple SEPM's on one GUP like the SEP content distribution monitor for SEP 11.0.x???

 

0
Login to vote