With Symantec Endpoint Protection (SEP) 14.x - which administrator activities are logged in the  Symantec Endpoint Protection Manager (SEPM) console?

The event logs for administrator activities can be viewed in the SEPM console using the following steps:

• Select the Monitors section to the left.
• Select the Logs tab.
• Choose Log type: System and Log Content: Administrative.
• Select a Time range and click View Log.

The following is the list of activities (and event id's) that are logged by the SEPM console.

--------------------------------------------------------------------------------
0x1001 = The logon succeeded.
0x1002 = The logon failed.
0x1003 = Logoff.
0x1004 = The account was locked.
0x1005 = The account was unlocked.
0x1006 = The account was disabled.
0x1007 = The account was enabled/
0x1008 = The administrator was created.
0x1009 = The administrator was deleted.
0x100A = The administrator was renamed.
0x100B = The password was changed.
0x100C = The administrator properties changed
0x100D = The domain was created.
0x100E = The domain was deleted.
0x100F = The domain properties changed.
0x1020 = The domain was disabled.
0x1021 = The domain was enabled.
0x1022 = The domain was renamed.
0x2001 = The group was created.
0x2002 = The group was deleted.
0x2003 = The group was renamed.
0x2004 = The group was moved.
0x2005 = The group properties changed.
0x2006 = The user was created.
0x2007 = The user was deleted.
0x2008 = The user was moved.
0x2009 = The user was copied.
0x200A = The user policy mode was switched.
0x200B = The user properties changed.
0x200C = The computer was created.
0x200D = The computer was deleted.
0x200E = The computer was moved.lt;br />0x200F = The computer was copied.
0x2010 = The computer policy mode was switched.
0x2011 = The computer properties changed.
0x2012 = The organizational unit was imported.
0x2013 = The domain user was imported.
0x2014 = The LDAP user was imported,
0x3001 = The package was created.
0x3002 = The package was deleted.
0x3003 = The package was exported.
0x3004 = The package was moved to the recycle bin.
0x3005 = The package is now current.
0x3006 = The package was added to another domain.
0x3007 = The package properties changed.
0x3008 = The package deployment was created.
0x3009 = The package deployment was deleted.
0x300A = The package deployment properties changed.
0x300B = The package updated.
0x4001 = The replication partner was registered.
0x4002 = The replication partner was deleted.
0x4003 = The remote site was deleted.
0x4004 = The site properties changed.
0x4005 = The server properties changed.
0x4006 = The database properties changed.
0x4007 = The partner properties changed.
0x4008 = The site license is changed.
0x4009 = The enforcer license changed.
0x400A = Replicate now.
0x400B = Back up now.
0x400C = The external logging properties changed.
0x400D = The site backup settings changed.
0x400E = The server was deleted.
0x400F = The server certificate changed.
0x4010 = Replicate now.
0x4011 = Back up now.
0x4012 = The external logging properties changed.
0x4013 = The site backup settings changed.
0x4014 = The server was deleted.
0x4015 = The server certificate changed.
0x4016 = The enforcer group properties changed.
--------------------------------------------------------------------------------
The administrator activities are logged to the SERVER_ADMIN_LOG_1 and SERVER_ADMIN_LOG_2 tables in the database.