Hi,
the sylink.log is a client side log, by enabling it, you can see if a specific client is asking or not for deltas.
According to your post, you want to find which clients are getting deltas and which clients are getting the full content hence the sylink.log from all clients is not the feasible solution for you.
IIS logging will record all clients' requests, in your case you need to log the visits only for the Content virtual folder. Once you have it, you may open it in Excel and filter what you need, count repeated events, etc. The difficult part is that you need to know what to look for (monikers, type of files, etc.), something not very easy to explain in a forum.
While analyzing the IIS logs in regards of the content files, you need to focus on two main things:
1) of those clients which are getting a specific type of content (example: content\{C60DC...}\120323001 which means 32 bit AV defs 23-03-2012 r001) only once, how many get the delta (.dax if I remember well) and how many the full.zip?
It is expected that most of the clients get the delta, there is no ideal ratio for everybody, if your specific network or link is overloaded by SEP traffic, you need to decrease the delta/full ratio. This ratio is controlled by the amount of content releases you keep stored in your SEPM.
Some releases of SEPM soffer of performance issues and cannot create the deltas even when expected. Upgrade SEPM and use GUPs is recommended.
2) are there clients which are repeating the same exact download over and over again? and always the full.zip even if not always for the same content release?
If yes, those clients should be locally analyzed for:
- corrupted definitions (SEP Support Tool checks for it)
- old SEP releases with known issues (sylink.log might help to find known errors)
- GUP with small cache that needs to download again the same content to serve different clients (debug.log shows if the GUP is using or not the cache)
- lack of disk space (<400 MB of free space)
- virus infection that damage the definitions (see risk logs).