Not all SEP firewall logs sent to SEPM
Created: 31 Jan 2013 | Updated: 07 Feb 2013 | 10 comments
This issue has been solved. See solution.
So I have this issue going on that the SEP clients are online and communicating with the SEPM server. However, if I look at the Network Threat Protection, Traffic Logs on the SEP client it contains all the logs that I want but ~75% of them don't make it back to the SEPM server. This is happening on the majority of 8000 SEP clients.
Any ideas?
Discussion Filed Under:
Comments 10 Comments • Jump to latest comment
Is it possible they are being overwritten? You have 10240KB as the max size, which could fill up pretty quickly and be overwritten.
Or are you saying they're not making it at all?
Do you have multiple groups with different policies? Is inheritance turned off for some?
SEP Knowledge Base
Endpoint SWAT
Possibly but I'd think the logs I'm expecting would be overwritten locally too. We do have multiple groups like 500 of them which all have unique policies without inheritance but the client log settings policy are all the same for them.
What's the version?
SEP Knowledge Base
Endpoint SWAT
11.0.7200.1147 I think thats 11.0.7 MP2
It is. I was checking the fix notes for RU7 MP3 but I didn't see anything in there. Wasn't sure if this was a bug or not.
Can you select one client you know has logs locally and filter on it in the SEPM to see if any logs show up at all?
SEP Knowledge Base
Endpoint SWAT
Normally Traffic and Control logs are very huge and they get overwritten very quickly..can you try increasing traffic log size on the Admin- Servers Tab
Vikram Kumar
Symantec Consultant
The most helpful part of entire Symantec connect is the Search button..do use it.
I would think this would be good as it is, yes?
that looks good, do you see random logs not being sent to SEPM..or certain specific type of logs, also check are all logs from same rule or different rule.
Are these all Traffic logs or IPS logs as well ?
Vikram Kumar
Symantec Consultant
The most helpful part of entire Symantec connect is the Search button..do use it.
It is random and doesn't correspond to any one specific rule. This is for traffic only logs. We don't have much enabled with the IPS.
I'm going through every group now changing the heartbeat time to 15 minutes. We currently have ~9,000 SEP clients and the heartbeat was set to 5 minutes. I'm wondering if the standalon SQL dual-core server is dropping the logs as it can't keep up with that short of a heartbeat. I see that best practices suggest around 30 minutes for our current environment but that isn't fisable for our situation.
Well raising the heartbeat interval did it. :-D
Would you like to reply?
Login or Register to post your comment.