You want to know what logs can be reviewed to confirm that Symantec Endpoint Protection 12.1 (SEP) clients are downloading content from Group Update Providers (GUPs) instead of from the Symantec Endpoint Protection Manager (SEPM).
This information can be viewed both in the SEP client and also in logs on the SEPM.
Viewing this information in the SEP client:
The SEP client will log the time and source location when it downloads new content in the SEP client's System log. To open the System log, follow these steps:
Note: If the SEP client downloads an update from the SEPM, it will log this event in the SEP client's System log with an event which reads "Downloaded new content update from the management server successfully."
Viewing this information in the SEPM:
The SEPM has logs which will report the time, name, and source of any content SEP clients downloads. This includes content downloaded from GUPs. To get a list of where SEP clients are downloading definitions from a centralized location, follow the steps below: