Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrades.
Please accept our apologies in advance for any inconvenience this might cause.

SEPM Report for USB disk activity logged

Created: 30 Nov 2011 • Updated: 02 Dec 2011 | 8 comments
snowdog_2112's picture
This issue has been solved. See solution.

Running SEP 12.1

Is it possible to have the logs that are accessible under Monitor --> Logs be available as a scheduled report?

Specifically, I'd like the Monitors --> Logs --> Application and Device Control --> Application Control (and Device Control) logs to be available as a report to get sent weekly to an administrator account.

The canned reports for App/Dev control are horrible - there is no detail whatsoever.

Currently, a user must log in to the SEPM and manually run the Monitor --> Logs report(s).  This is inconvenient at best, and often missed/overlooked/forgotten.

Thanks.

Comments 8 CommentsJump to latest comment

Optimus.prime's picture

Hi,

  If you have blocked the USB using ADC policy, you should ENABLE the Logging in policy.

it should showup in PTP system Log .....

pete_4u2002's picture

check this article, this might help

http://www.symantec.com/business/support/index?page=content&id=TECH131125

The activity logged can be found in:
- SEP Client > View Logs > Client Management > View Log > Control Log
- The console of Symantec Endpoint Protection Manager (SEPM) > Monitors > Logs > Application and Device Control > Application Control

snowdog_2112's picture

As my OP mentioned, I see the logs in the SEPM. 

My question is how to get that same information as a scheduled report delivered to the SEPM administrator(s).

 

The Logs cannot be delivered on a schedule (that I've seen), and the Reports option does not have the same options under Application and Device Control.

Optimus.prime's picture

Hi, 

 Check this Article For Looging the USB activity :

http://www.symantec.com/docs/TECH131125

I think this will help ...

snowdog_2112's picture

Thanks for the links, but as I have stated twice now, I see the logs under the MONITOR --> LOGS option.  I am getting logged info on USB activity. 

How can I generate the same DATA which I am able to view in the log EMAILED as a REPORT on a SCHEDULE.  None of the links specify how to accomplish this task.

Thanks for your help. 

Simpson Homer's picture

Solution

1. Connect to SEPM

2. Go to "Monitors"

3. Go to "Notifications" tab

4. Click on "Notification Conditions" button at the bottom of the console

5. Click on "Add..." and select "Client Security Alert"

6. In the top of the new window, specify condition name, filtering settings (optional) and outbreak type

7. Check "Application Control Events"

8. Specify condition and damper settings

9. Check "Send email to:" and type email address to use

10. Validate

 

 

 NOTE: more details available regarding each setting by clicking on "Help" button at the bottom of the window

 

SOLUTION
snowdog_2112's picture

Perfect!!

That will work for our needs.  A report would be ideal, but this will meet the requirements.