Video Screencast Help

How do I enable ability to clear NTP logs from client?

Created: 23 Aug 2013 • Updated: 26 Aug 2013 | 6 comments
This issue has been solved. See solution.

I need to work through false positives(blocked) in the NTP (traffic) log on managed SEP12.1.3 clients. How do I enable ability to clear NTP logs from client through policy in SEPM? Also, can I manually delete the Tralog from clients,  should I stop SMC first?

Thanks in advance, this forum rocks!

Operating Systems:

Comments 6 CommentsJump to latest comment

ᗺrian's picture

I believe you need to set the client to user mode. Yep try stopping smc first.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture

Hello,

To help control hard disk space, you can decrease the number of log entries that the database keeps. You can also configure the number of days the entries are kept.

Log information on the Symantec Endpoint Protection Manager console Logs tab on theMonitors page is presented in logical groups for you to view. The log names on the Site Properties Log Settings tab correspond to log content rather than to log types on the Monitors page Logs tab.

To specify how long to keep log entries in the database

  1. In the console, click Admin.

  2. Under Servers, expand Local Site, and click the database.

  3. Under Tasks, click Edit Database Properties.

  4. On the Log Settings tab, set the number of entries and number of days to keep log entries for each type of log.

  5. Click OK.

To clear log data from the database manually

  1. To prevent an automatic sweep of the database until after a backup occurs, increase a site's log size to their maximums.

  2. Perform the backup, as appropriate.

  3. On the computer where the manager is installed, open a Web browser and type the following URL:

    https://localhost:8443/servlet/ConsoleServlet?ActionType=ConfigServer&action=SweepLogs

    After you have performed this task, the log entries for all types of logs are saved in the alternate database table. The original table is kept until the next sweep is initiated.

  4. To empty all but the most current entries, perform a second sweep. The original table is cleared and entries then start to be stored there again.

  5. Return the settings on the Log Settings tab of the Site Properties dialog box to your preferred settings.

Check these Articles:

http://www.symantec.com/docs/HOWTO81197

http://www.symantec.com/docs/HOWTO81198

http://www.symantec.com/docs/HOWTO81208

Hope that helps!!

Mithun Sanghavi
Associate Security Architect

MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Chetan Savade's picture

Hello,

Thank you for posting in Symantec community.

I would be glad to answer your query.

Change the log settings into the SEPM

Navigate to the following location: SEPM --> Admin --> Servers --> Select 'Local database'--> Right click & Click on Edit database properties --> Go to the 'log settings'

Screenshot is attached to the reference.

You can change the settings to 1 day to wipe out old logs immediately.

Risk log setting in SEPM_1.png

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

greg12's picture

As Brian says, you have to switch the client to client mode:

SEPM  > Clients > [Group] > Policies > Location-specific settings >
Client User Interface Control settings > Client Control

Then you can delete the NTP log on the client:

Client GUI > Status > Network Threat Protection > Options/Change settings > Logs >
Clear Traffic Log File

Don't forget to switch back to Server Control smiley

It's not necessary to stop smc.exe.

SOLUTION
ᗺrian's picture

In testing, I'm unable to delete tralog.log, even if I stop smc.

Either way, setting to client mode will allow you to clear the log from the client.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

idaman22's picture

Hi Brian,

I found that with the service stopped, one can rename tralog.log to .old. Once the service starts, a new Tralog.log is created.