Endpoint Protection

 View Only

  • 1.  SEP 11 - Traffic Log is enabled, but logs are blank

    Posted Jan 25, 2012 10:35 AM

    We have a SEP 11 environment where all of the clients are set to log (traffic log), yet all of the traffic logs are blank.  We definitely have numerous firewall rules that are set to Write To Log.  I'm not sure what is happening.



  • 2.  RE: SEP 11 - Traffic Log is enabled, but logs are blank

    Posted Jan 25, 2012 11:09 AM

    If it's on the SEPM, then make sure your clients are configured to upload their traffic logs to the SEPM (can be found under Clients -> Highlight a group -> Polciies tab on right pane -> Client Log Settings)

    If you're looking on the client then make sure the you have the filter set correctly as it will show only the last 1 day's logs.



  • 3.  RE: SEP 11 - Traffic Log is enabled, but logs are blank

    Trusted Advisor
    Posted Jan 25, 2012 11:15 AM

    Hello,

    Please check these Settings in the SEPM.

    SEPM > Admin> Local Site (my site)> Edit Site Properties> Log settings

     

    Hope that helps!!

     

    EDIT: Apologize, was slow in replying...

    Question: 1) So is this Client a Managed client or Unmanaged??

    2) What Version of SEP 11.x client are you carrying??



  • 4.  RE: SEP 11 - Traffic Log is enabled, but logs are blank

    Posted Jan 25, 2012 11:16 AM

    It's on the client.  Even filtering to 1 day, I should see something.  It's coming up completely blank.



  • 5.  RE: SEP 11 - Traffic Log is enabled, but logs are blank

    Posted Jan 25, 2012 11:25 AM

    I guess we need to confirm some of the other bits then...

    How is the firewall policy configured?

    Can you confirm the client has the latest version of the policy?

    Have you enabled notifications?

    Can you trigger the rules on your client?



  • 6.  RE: SEP 11 - Traffic Log is enabled, but logs are blank

    Posted Jan 25, 2012 01:46 PM

    It's managed.  SEP 11.0.6200.754.



  • 7.  RE: SEP 11 - Traffic Log is enabled, but logs are blank

    Posted Jan 25, 2012 01:48 PM

    There are several allow rules that are set to log and one block all rule at the end (also set to block).

    Yes, the clients all have the latest policy version.

    I'm not sure what you mean by notifications.

    Yes, I can create traffic that would trigger the rules.  The logs do not appear.



  • 8.  RE: SEP 11 - Traffic Log is enabled, but logs are blank

    Posted Jan 26, 2012 03:39 AM

    ...can be set within the firewall policy so that the user is aware of blocks and the like.  This can be configured from the notifications tab within the Firewall policy (right beside the 'Rules' tab)

    I'd reccommend enabling notifications for a test group and machine to help investigate your issue.



  • 9.  RE: SEP 11 - Traffic Log is enabled, but logs are blank

    Trusted Advisor
    Posted Jan 26, 2012 04:35 AM

    Hello,

    Since these are Managed SEP clients, you would have check as well as change the settings from SEPM itself (unless they have a complete Client Control).

    Could you check this as well:

     

    Hope that helps!!



  • 10.  RE: SEP 11 - Traffic Log is enabled, but logs are blank
    Best Answer

    Posted Jan 26, 2012 12:54 PM

    I believe I figured it out.  The firewall policy somehow got disabled for that group.  No firewall = no traffic logs, even if the traffic log were enabled.

     

    Thanks, for the suggestions.