Endpoint Protection

 View Only

  • 1.  strange log behaviour on our SEPM servers

    Posted May 20, 2010 10:49 AM
    I'm using SEP sort of like wireshark one some computers to try to nail down what's hammering our network - I'm looking to see if it's anything between SEP on clients and the SEPM servers that's doing it.
    I go to the console, made a test group, changed that group to mixed control
    I create a firewall rule at the top for that group only that is set to all/everything, and write to packet log.
    Back on the server, I open SEP, then choose view logs, then NTP logs, packet log.
    Usually it shows up blank. Then I switch between local view and source view, and then it will populate the screen. If I hit refresh, the log may appear empty until I toggle between local and source, or hit refresh again.
    When it IS showing all the packets, then I should be able to highlight a packet and see what's in it in the lower panes in the log view, much like wireshark does. And it usually does, then I'll click another line and it will show nothing below.
    I click several lines, it shows nothing. Then I hit refresh again or toggle between local and source, and then I can click and line and see the content once again, or, it might do worse and present me with an empty log screen!!
    Anyone know what's up?
    And - what the difference between local and source view in these logs? Looks like it gives the same info?.....................

    SEPM and SEP RU6a on clean new 2008 R2 64bit VMWare servers.

    This sort of logging works perfectly on clients I'm doing it on, no issues.


  • 2.  RE: strange log behaviour on our SEPM servers

    Posted May 20, 2010 12:14 PM
    Just one question. Why aren't you using wireshark to do this?

    Sounds like you are logging so much it takes a while to load


  • 3.  RE: strange log behaviour on our SEPM servers

    Posted May 20, 2010 12:25 PM
    LOL - because I WAS using wireshark and it kept crashing because of the huge temp files it creates.
    Let wireshark run a while and the temp files get really huge, and wireshark is unstable.
    SEP simply does a FIFO on the logs instead of creating temp files then writing capture files when you do a save.
    Also, there is then yet another app and driver....................... and it needs to be launched. SEP is running all the time.
    Interesting that it's fine on desktop and notebook computers, not so fine on the SEPM server.

    Chuckle again - it was a Symantec tech on a case call that suggested I could use SEP for this purpose........ then if desired, export the logs.


  • 4.  RE: strange log behaviour on our SEPM servers

    Posted May 20, 2010 12:31 PM
    Is the network traffic issue happening all the time or just at specific times? 


  • 5.  RE: strange log behaviour on our SEPM servers

    Posted May 20, 2010 01:20 PM
    Please see this posting:
    https://www-secure.symantec.com/connect/forums/sepm-killing-us



  • 6.  RE: strange log behaviour on our SEPM servers

    Posted May 20, 2010 02:49 PM
    Just re-read your message - no, the client workstation I'm doing the same thing on is running about 4,500 entries, the server about 1,500

    It's only happening or acting like that on the server.
    Iv'e also noted, I don't think this really plays well on a 64bit VM....... just my opinion, but I got much better response with RU5 on a 32bit 2003 VM.
    Especially the logs and console..........