Which administrator activities are logged in the Symantec Endpoint Protection Manager console?
search cancel

Which administrator activities are logged in the Symantec Endpoint Protection Manager console?


Article ID: 152816


Updated On:


Endpoint Protection


With Symantec Endpoint Protection (SEP) 11.0 or 12.1 - which administrator activities are logged in the  Symantec Endpoint Protection Manager (SEPM) console?



The event logs for administrator activities can be viewed in the SEPM console using the following steps:

  • Select the Monitors section to the left.
  • Select the Logs tab.
  • Choose Log type: System and Log Content: Administrative.
  • Select a Time range and click View Log.

The following is the list of activities (and event id's) that are logged by the SEPM console.

0x1001 = Login succeeded
0x1002 = Login failed
0x1003 = Log out
0x1004 = Account locked
0x1005 = Account unlocked
0x1006 = Account disabled
0x1007 = Account enabled
0x1008 = Administrator created
0x1009 = Administrator deleted
0x100A = Administrator renamed
0x100B = Password changed
0x100C = Administrator properties are changed
0x100D = Domain is created
0x100E = Domain is deleted
0x100F = Domain properties are changed
0x1020 = Domain is disabled
0x1021 = Domain is enabled
0x1022 = Domain is renamed
0x2001 = Group is created
0x2002 = Group is deleted
0x2003 = Group is renamed
0x2004 = Group is moved
0x2005 = Group properties are changed
0x2006 = User is created
0x2007 = User is deleted
0x2008 = User is moved
0x2009 = User is copied
0x200A = User policy mode is switched
0x200B = User properties are changed
0x200C = Computer is created
0x200D = Computer is deleted
0x200E = Computer is moved
0x200F = Computer is copied
0x2010 = Computer policy mode is switched
0x2011 = Computer properties are changed
0x2012 = Organizational Unit is imported
0x2013 = Domain user is imported
0x2014 = LDAP user is imported
0x3001 = Package is created
0x3002 = Package is deleted
0x3003 = Package is exported
0x3004 = Package is moved to recycle bin
0x3005 = Package is now current
0x3006 = Package is added to other domain
0x3007 = Package properties are changed
0x3008 = Package deployment created
0x3009 = Package deployment deleted
0x300A = Package deployment properties changed
0x300B = Package updated
0x4001 = Replication partner is registered
0x4002 = Replication partner is deleted
0x4003 = Remote site is deleted
0x4004 = Site properties are changed
0x4005 = Server properties are changed
0x4006 = Database properties are changed
0x4007 = Partner properties are change
0x4008 = Site license is changed
0x4009 = Enforcer license changed
0x4010 = Replicate now
0x4011 = Back up now
0x4012 = External logging properties are changed
0x4013 = Site backup settings changed
0x4014 = Server deleted
0x4015 = Server certificate changed
0x4016 = Enforcer group properties changed
The administrator activities are logged to the SERVER_ADMIN_LOG_1 and SERVER_ADMIN_LOG_2 tables in the database.