Endpoint Protection

 View Only

  • 1.  log interpretor

    Posted Feb 14, 2017 09:51 AM

    product version 12.1.2015.2015

    pattern revision (3)

    I would like to interpret the logs located in this folder

    root\progarmData\Symantec\Symantec Endpoint Protection\12.1.2015.2015\Data\Logs\AV

    two files of interest tralog.log and syslog.log

    when I open the file I see something  like .....00000000 0000000f ... Blocked all other traffic

    I would like to see what traffic was blocked or what traffic was allow thru.



  • 2.  RE: log interpretor

    Posted Feb 14, 2017 09:53 AM

    This is both the Traffic log and System log. They should be in a readable format when opened in a text editor.

    That looks like an IPv6 address and if so, that is the correct format.

    It's easier to view from the client itself or the SEPM.



  • 3.  RE: log interpretor

    Posted Feb 14, 2017 10:10 AM

    sorry I had truncated the output because I'm lazy.  I'm  viewing the tralog.log file in a simple text editor and I see the following ...this time I will be more specific.

    00000002 00080000 00000000 000005ca 00000000008567F7 000000e

    00000162 01d223d46ecc5c5a 00000133 3100000a 00000806 00000000 (more of this stuff)  Block all other traffic h(r    X    Default (username)  (domain)

    I would like to understand what all this means.

    If I want to view the tralog.log file from the client where would I go? 

    Seb



  • 4.  RE: log interpretor

    Posted Feb 14, 2017 10:13 AM

    Open the SEP GUI

    Go to View Logs >> and to the right of Network Threat Protection click View Logs >> Traffic log



  • 5.  RE: log interpretor

    Posted Feb 14, 2017 11:00 AM
    Use this Interpreting Endpoint Protection AV log files https://support.symantec.com/en_US/article.TECH100099.html