Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Not all SEP firewall logs sent to SEPM

Created: 31 Jan 2013 • Updated: 07 Feb 2013 | 10 comments
This issue has been solved. See solution.

So I have this issue going on that the SEP clients are online and communicating with the SEPM server. However, if I look at the Network Threat Protection, Traffic Logs on the SEP client it contains all the logs that I want but ~75% of them don't make it back to the SEPM server. This is happening on the majority of 8000 SEP clients.

Any ideas?

Comments 10 CommentsJump to latest comment

.Brian's picture

Is it possible they are being overwritten? You have 10240KB as the max size, which could fill up pretty quickly and be overwritten.

Or are you saying they're not making it at all?

Do you have multiple groups with different policies? Is inheritance turned off for some?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

doublejz's picture

Possibly but I'd think the logs I'm expecting would be overwritten locally too. We do have multiple groups like 500 of them which all have unique policies without inheritance but the client log settings policy are all the same for them.

.Brian's picture

What's the version?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

.Brian's picture

It is. I was checking the fix notes for RU7 MP3 but I didn't see anything in there. Wasn't sure if this was a bug or not.

Can you select one client you know has logs locally and filter on it in the SEPM to see if any logs show up at all?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Vikram Kumar-SAV to SEP's picture

Normally Traffic and Control logs are very huge and they get overwritten very quickly..can you try increasing traffic log size on the Admin- Servers Tab

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

doublejz's picture

I would think this would be good as it is, yes?

Vikram Kumar-SAV to SEP's picture

that looks good, do you see random logs not being sent to SEPM..or certain specific type of logs, also check are all logs from same rule or different rule.

Are these all Traffic logs or IPS logs as well ?

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

doublejz's picture

It is random and doesn't correspond to any one specific rule. This is for traffic only logs. We don't have much enabled with the IPS.

I'm going through every group now changing the heartbeat time to 15 minutes. We currently have ~9,000 SEP clients and the heartbeat was set to 5 minutes. I'm wondering if the standalon SQL dual-core server is dropping the logs as it can't keep up with that short of a heartbeat. I see that best practices suggest around 30 minutes for our current environment but that isn't fisable for our situation.

SOLUTION
doublejz's picture

Well raising the heartbeat interval did it. :-D