Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Unable to see NTP and SONAR logs in SEPM 12.1 console

Created: 01 Jul 2013 | 9 comments

Hi,

Recently, I have upgraded the SEPM console from 110.6 to SEP 12.1.2015.2015. Since after the upgrade, unable to see the logs for two components i.e. Network Threat protection and SONAR. For others components like Risk, Application contorl logs are present.

Before upgrading the SEPM console, it was working perfectly fine.

Clients are still running on 11.0.6

Anybody suggest what need to be checked

 

Comments 9 CommentsJump to latest comment

.Brian's picture

Clients page >> select a group >> Policies tab >> Client Log settings

Are the box checked to upload to the management server?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Kumar K's picture

Hi Brian,

 

Yes it is selected.

Also, only Network threat protection and SONAR are not able to see.

While I can see the other logs properly like Application control, Risk, Scan etc , in Monitors >> logs

.Brian's picture

And you confirmed from a client log that you should be seeing some activity from either NTP or PTP?

What is your heartbeat set to? Could it be that the log hasn't been uploaded yet to the SEPM?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Kumar K's picture

Yes, I am able to see logs on each and every SEP client.

It is set for 5 minutes but communication mode is PUSH.

It was very perfectly fine till we had the SEPM console 11.0.6

ASA we upgraded it to SEP 12.1.2015.2015

Unable to see the NTP and SONAR logs.

SebastianZ's picture

As you can see these logs on each SEP client - it may be something wrong with SEPM processing those logs - have a look on SEPM drive for following folders:

- C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\inbox\log\client

- C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\inbox\log\traffic

- C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\inbox\agentinfo

- C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\inbox\system

 

These folders should be usually empty after SEPM has processed the logs incoming from clients. If there are any errors during processing operations - the log files will be replaced to files with .err.dat extension and preserved in that folder and not processed any more - result = no logs in SEPM console GUI. Have a look at the mentioned locations if you can find any logs there

Ambesh_444's picture

Hi,

https://www-secure.symantec.com/connect/forums/where-are-truscan-logs-sepm-12

Here's the answer :

Issue #2 - TruScan logs not being displayed in a 12.1 SEPM

As you know, SONAR has replaced TruScan in 12.1.  It is expected behavior, working as designed, that the TruScan logs are not viewable in 12.1 SEPM.  The advice would be to migrate your clients to 12.1 so that they are running SONAR which can be viewed from the SEPM as expected.  Another unsupported workaround would be, once again, to run a SQL query to pull this information from the database, as it should still be processed from the information the client has sent to the SEPM

https://www-secure.symantec.com/connect/ideas/sepm...

 

 

So, In your case of you pull the SONAR Logs, you may see those events.

Note: The Condition here is these Logs are Expires by default after 60 days.

You could check these settings from - 

SEPM >> Admin >> Servers >> Local Host >> Edit Database properties >> Log settings.

 

Thank& Regards,

Ambesh

"Your satisfaction is very important to us. If you find above information helpful or it has resolved your issue. Please don't forget to mark the thread as solved."

Rafeeq's picture

Amesh explained it very well. Sonar is in 12.X not from 11.x

 

AjinBabu's picture

HI, 

Are you using Embedded Data base or  SQL database?

Regards

Ajin

 

Ambesh_444's picture

Hi,

Have you got your answer or looking for more help.

 

Thank& Regards,

Ambesh

"Your satisfaction is very important to us. If you find above information helpful or it has resolved your issue. Please don't forget to mark the thread as solved."