Endpoint Protection

Hi People,

What is the impact when I select that option to be enabled ?

I wonder where is the log file is kept ? is it in SEPM server, SYSLOG server of our choice or the SEP client ?

Check this thread

https://www-secure.symantec.com/connect/forums/view-files-written-usb

the number of events are going to be filled. The log retention settings has to be enabled. If this is not going to be monitored disable the logging.

and the name of the files are not important right?

These events will be in the control log

How many devices are you doing this for?

The client will have the log, this log will be fwd to SEPM, SEPM will fwd to Syslog

Hi John,

Thank you for posting in Symantec community.

Under Application & device control policy you can select the option for "Log files written to USB drives."

The logs can viewed under

Logs can be viewed in SEP client console under View Logs menu > Client Management > Control Log...
Logs can be viewed in SEP Manager under Monitors menu > Logs tab - Log Type: Application and Device Control, Log Content: Application Control - Select View Log

Reference: http://www.symantec.com/connect/forums/how-see-written-activity-usb-drive

Brian,

in the office, we've got 300 workstations.

Does this going to effect the SEPM C:\ drive or it will be pushed to the External Syslog server that I have already configured in the External Logging option ?

In addition to going to syslog, it will stay on the SEPM based on the number of days you configured the SEPM to keep logs

Cool, thanks People !

Not trying to hijack this thread, but a question on this:

Where exactly may I set the days that SEPM keeps the logs of Application & Device Control?
In practice, I want to know the files users have copied and devices that have been disabled.

In the SQL-Settings I have various possibilities as I see and have set up ("Management Server Log Settings", "Client Log Settings", "Risk Log Settings"). But none of these settings seems to correlate with the effective logged data I get presented after checking the logs.

Am I missing something there?

it's alright, sharing the knowledge here is good :-)

In the SEPM, go to Admin >> Servers and select your DB and select Edit Database Properties

On the Log Settings tab is where you can configure this. The Control Log Limit is the one.

Thanks for the replies!
I will check this on monday :)

Have a nice weekend guys

Alright then, reply to this one.

In my current setup, I got the following settings:
To my understanding, the "Control Log Limit" should then define the days / count of entries in the database.

Still somewhat confusing to me is the fact that "60 days" is configured, but I seem to be able to access data back from 6 months (Application & Device Logs). So is this really defined by "Control Log Limit"?
Nevertheless, I need at least 365 days of history.