To narrow down which clients are downloading huge MBs from SEPM:
1. Enable Apache Access Logs
- In a text editor, open the file
drive:\Program Files\Symantec\Symantec Endpoint Protection Manager\apache\conf\httpd.conf
.
- In the
httpd.conf
file, remove the hash mark (#) from the following text string and then save the file:
#CustomLog "logs/access.log" combined
-
If Client uses HTTPS communication then - open drive:\Program Files\Symantec\Symantec Endpoint Protection Manager\apache\conf\ssl\sslForClients.conf
remove the hash mark (#) from the following text string and then save the file:
#CustomLog "logs/ssl_access.log" ....
2. Enable Apache Error Log - to INFO level
In "httpd.conf" file, replace LogLevel warn to
LogLevel info
3. Restart SEPM server and Apache
Stop and restart the Symantec Endpoint Protection Manager service and Apache HTTP server:
See Stopping and starting the management server service.
See Stopping and starting the Apache Web server.
4. Allow few hours for SEPM to log all download activities.
5. Analyze logs [or upload Apache logs for analysis].
Apache Error log is located under %SEPM install folder%\apache\logs\error-****.log, and will contain client IP's that are download large files, typical log messsage:
e.g: [Mon Jun 06 14:03:48 2011] [info] [client xxx.xxx.xxx.xxx] Thread(3036) TransmitFile done, socket: 00316, bytes xfer: 2854271,Threads ready: 328, url:
GET /content/{EDBD3BD0-8395-4d4d-BAC9-19DD32EF4758}/110603008/....... HTTP/1.0
Apache Access logs is located under %SEPM install folder%\apache\logs\access-****.log, this file will also contain client IP's that are downloading files and download sizes.
6. After log analysis - revert back above changes to original settings and restart SEPM and Apache service.