Endpoint Protection

 View Only

  • 1.  Event Viewer like for SEPM

    Posted Jun 24, 2016 01:42 AM

    Hi, Is there an Event Viewer like in SEPM where we can see the logs of the issue that already occur

    eg. scenario

    we have found out that the SEPM has missing moniker (we already know that symantec releases updates 3 times a day every weekdays and once a day on the weekend) there are two to three days with missing moniker that supposed to have 3 update.

    what we did is to run luall.exe but unsuccesful then we downloaded the exact missing moniker (.jdb) later on uploaded on sepm and the problem was resolve

    we try to collect symdiag logs after the issue and reported it to a symantec support to analyze, unfortunately the support unable to see what have caused the issue of missing the moniker since we already uploaded it using .jdb and now they are saying that the issue have to REOCCUR for them to see the exact reason why we are encountering such an issue.

    now the real concern here is how can we avoid this issue to re occur if the support unable to see the real reason and give us recomendation or suggestion on what to do

    is there a tool to help us to take a look on what happen after we have uploaded the .jdb and to see what have caused of missing out the moniker

    Thank you

     



  • 2.  RE: Event Viewer like for SEPM
    Best Answer

    Posted Jun 24, 2016 01:57 AM

    events are logged for SEPM as well as for SEP in the event viewer

    Symantec Endpoint Protection Manager 12.1.x event log entries

    https://support.symantec.com/en_US/article.TECH196455.html

     

    SEP Events

    https://support.symantec.com/en_US/article.TECH186925.html

    as support mentioned its not possible to find the root cause now as the logs would have been overwritten.

    In future when it fails to import the defs into DB, you should check these two logs

    Log.liveupdate and SESMLu.log

    log.liveupdate is to see if SEPM was able to download, SESMLu.log to see if it was able process.

    If your DB is on SQL then most of the times it would fail due to space issue. set SEPM DB to unrestricted growth

    If you are running old version of SEPM, please upgrade to 12.1.6 MP4.



  • 3.  RE: Event Viewer like for SEPM

    Broadcom Employee
    Posted Jun 24, 2016 12:44 PM

    As Rafeeq said logs would have been overwritten. If issue occurred again collect the logs, Log.liveupdate and SesmLu.log

    Every time Liveupdate runs it outputs what it is doing to the Log.Liveupdate

    The SesmLu.log contains data that is recorded when LiveUpdate runs on the SEPM for any reason. This side of the logging is for what happens internally after the content has been downloaded.  To collect logs navigate to C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Tomcat\Logs\SesmLu.log .Typically searching for the phrase “Failed to notify” or “error” will lead you to the best results.

    Collect the evidence & provide it to support for further analysis.