Video Screencast Help

Need Info on Definition Files

Created: 26 Jul 2012 | 5 comments

When pulling an exported log file from a SEP  11.0.5 client (yes I know I should upgrad) I see the following:

 

Definition File Loaded,[Machine Name],SYSTEM,System,New virus definition file loaded. Version: 140721e.,7/21/2012 9:49:13 PM
Definition File Loaded,[Machine Name],SYSTEM,System,New virus definition file loaded. Version: 140722f.,7/23/2012 3:36:58 AM
Definition File Loaded,[Machine Name],SYSTEM,System,New virus definition file loaded. Version: 140723b.,7/23/2012 9:38:57 AM
Definition File Loaded,[Machine Name],SYSTEM,System,New virus definition file loaded. Version: 140723r.,7/23/2012 6:39:08 PM
Definition File Loaded,[Machine Name],SYSTEM,System,New virus definition file loaded. Version: 140723ah.,7/24/2012 3:36:15 AM
Definition File Loaded,[Machine Name],[UserLogonID],System,New virus definition file loaded. Version: 140724b.,7/24/2012 9:41:20 AM
 
Can anyone confirm that these are updates pulling directly from LiveUpdate.com and not my SEPM?  My client log files show nothing about the origination of the update files.  My client-server activity monitor shows nothing for the machines in question.  However, the last check-in with SEPM is today.
 
Also, where can I find the file size of these updates?  I can only see the most current on http://www.symantec.com/security_response/definitions/download/detail.jsp?gid=savce
 
Need to know if we are loading full or deltas.  (Already have the distribution monitor tool, just not loaded yet.)
 
 
 
 
 
 
 

Comments 5 CommentsJump to latest comment

.Brian's picture

I don't believe it will tell you where the update came from in the 11.x logs. You would need to run the sylink monitor and review those logs.

In 12.1, it will give you a better idea of where the update came from in the log:

Example from 12.1 log

7/26/2012 8:41:47 AM    Information    Downloaded new content update from the management server successfully.    
 

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Ajit Jha's picture

Run the Sylink Monitor Toll and check the Connection, if it is reflecting SEPM then its fine, if not then we need to Troubleshoot on it.

Regard's

Ajit Jha

Technical Consultant

ASC & STS

pete_4u2002's picture

sylink monitor log and client log.liveupdate should help to know the source of distribuition

Olivier_C's picture

An other way should ne on the server side.

You can activate IIS log as describe in the distribution monitor tool:

>> STEP 2 : ENABLE IIS LOGGING <<

Ensure IIS logging is enabled for the SEPM website. Steps for Windows 2003 are detailed below:

Note: Steps for Windows 2008 will vary slightly, see http://technet.microsoft.com/en-us/library/cc732079(WS.10).aspx

1. Right-click on the website, select Properties
2. Select the 'Website' tab and ensure Logging is enabled
3. Click Properties and change the log path to a more friendly one for your needs
4. Click Advanced, ensure ONLY the following logging options are enabled:
   Date, Time, Client IP Address, URI Stem, Protocol Status and Bytes Sent
5. Click Apply and OK to return to the main Symc Web Server Properties dialog
6. Click the 'Home Directory' tab and ensure 'Log Visits' is selected.
7. Click OK to close the Symc Web Server Properties dialog
8. Expand the Symc Web Server so you can see the virt directories
9. Right-click on 'content', click Properties and ensure Log Visits is checked, click OK
10. Check all the other virt directories in the same way but ensure Log Visits is UNCHECKED
11. Close IIS Manager
12. Browse via Windows Explorer to directory you specified to store your IIS logs
13. Open IE and enter the URL, http://localhost:<sepmport>/content/ContentInfo.txt and verify the ContentInfo page is returned as expected
14. Check in the IIS logs directory again and verify a log was created and has the appropriate line item to record the content download request.

 

 

Then after few hours, check this log for any entry of your client IP Address. You will find here if the clients updates himself with SEPM defs File or no.

 

 

Olivier.

~~~~~~~~~~~~

Olivier

Mick2009's picture

Followers of this thread may wish to cast a vote in favor of this proposed enhancement request:

Enhance the Client-Server Activity Reports in the SEPM
https://www-secure.symantec.com/connect/ideas/enhance-client-server-activity-reports-sepm

With thanks and best regards,

Mick