Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Client Server Communication logs

Created: 08 Jul 2013 | 16 comments
SameerU's picture

Please help me in pulling following logs from Symantec server
 
1.    When Symantec service was disabled/enabled from client and client server communication logs – past 3 months
2.    User who has disabled the service

 

Regards

 

Operating Systems:

Comments 16 CommentsJump to latest comment

Rafeeq's picture

monitors -=logs - system 

client activity.

it will not tell you who disbaled the service.

this link should help you

http://www.symantec.com/business/support/index?page=content&id=TECH95546

 

Client Activity log Among other things, you can use this log to monitor the following client-related activities:
  • Which clients have been blocked from accessing the network
  • Which clients need to be restarted
  • Which clients had successful or unsuccessful installations
  • Which clients had service initiation and termination problems
  • Which clients had rules import problems
  • Which clients had problems downloading policies
  • Which clients had failed connections to the server

 

SameerU's picture

Hi Rafeeq

Thanks for the reply

Just one more clarfication

We have a audit done and found one user in which he was using the device by stopping the Symantec Service.

The client retain logs in SEPM is maximum of 512 in the policies and days are 14 days.

Here my query is when i am exporting the logs for a particular client for past 3 months it it gives the logs for past two days.

Heartbeat Interval is 15 minutes

Please let me know.

Regards

 

Rafeeq's picture

Had a smillar issue earlier too. not sure how you can disable AD policy by stopping the services. 

Tamper protection is configured and he wont be able to change any reg keys.

if the client was talking to sepm it should have fwd the logs, I think he stopped the smc.exe service so it stopped taking policy/ updates/ fwd logs to sepm.

pete_4u2002's picture

do you mean on SEPM it only shows last 2 days log when you expect atleast for last 14 days?

pete_4u2002's picture

can you increase the threshold value of the client log settings in SEPM and check you can fetch information for additional days.

SameerU's picture

Hi Pete

Can you just elaborate what threshhold settings to be made

Regards

 

pete_4u2002's picture

the logs are retained on SEPM , you can configure for threshold or number of days. by defaults it will 10000 and 60 days. you can find this setting under SEPM console --> Admin ---> Server ---> database and edit for log settings.

SameerU's picture

Hi

We have already the settings as default i.e retention of logs for 60 days

Regards

 

SameerU's picture

The threshhold values is 10000

Regards

 

pete_4u2002's picture

you can increase to double the size and wait for few days and try to pull the report.

SameerU's picture

Hi

Okay will change it accordingly and revert back

Regards

 

Chetan Savade's picture

Hi,

Thank you for posting in Symantec community.

To check who has disabled service you can refer event viewer.

It's not possible with the help of Symantec Endpoint Protection Manager.

For SEPM tracking check this article:

Which administrator activities are logged in the Symantec Endpoint Protection Manager console?

http://www.symantec.com/docs/TECH141668

Verify the settings with the help of management server.

Screenshot is attached to the reference.

Log setting in SEP 12.1_0.JPG

 

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

SameerU's picture

Hi

I have increased the threshold value to 100000 and is under observation

Regards