Overview of log and configuration files in Symantec Endpoint Protection for Linux (versions 14.3.1169 or older)


Article ID: 161862


Updated On:


Endpoint Protection


NOTE: This article is only for SEP for Linux versions 14.3.1169 or older. For SEP Linux Agent 14.3 RU1 (14.3.3384) or newer, see Troubleshooting the Symantec Linux Agent

What kinds of debug logging does SEP for Linux produce, where are the log and configuration files, and how is logging configured?



SEP for Linux configuration files:

  • /etc/liveupdate.conf - Not present in SEP 14 and newer. LiveUpdate configuration in SEP 12.1.x. See The default contents of liveupdate.conf in SEP for Linux.
  • /etc/Symantec.conf - BaseDir and JAVA_HOME paths used by SEP. These should not be changed, with the exception of JAVA_HOME, when necessary.‚Äč JAVA_HOME is not used in SEP 14 and newer.

SEP for Linux logging:

  • installation logs
  • sylink: client-server communications
  • vpdebug: antivirus configuration and scans
  • liveupdate: antivirus definition update downloads 
  • defutil: antivirus definition update processing (post-download)
  • daemon debug logging: rtvscand, smcd, symcfgd --- of lesser utility than those above
  • syslog: client system event logging


Not all logs may be present, depending on version and components chosen for installation:


Sylink/Communication Module

Sylink logging in SEP 12.1.x is saved to /var/symantec/Logs/debug.log.
In SEP 14 and newer, path is /var/symantec/sep/Logs/debug.log

To enable sylink debug logging, create a new text file named /etc/symantec/sep/log4j.properties (/etc/symantec/log4j.properties in SEP 12.1.x), with the following contents:

log4j.appender.A1.fileName=/var/symantec/sep/Logs/debug.log # NOTE: change this to /var/symantec/Logs/debug.log in SEP 12.1.x)
log4j.appender.A1.layout.ConversionPattern=%d{%Y-%m-%dT%H:%M:%S.%l%Z} %t %p %c{2.EN_US} %m%n
log4j.rootCategory=DEBUG, A1

Then, restart the smc daemon:

sudo service smcd restart 


vpdebug logging is saved to /opt/Symantec/symantec_antivirus/vpdebug.log

To enable vpdebug:

cd /opt/Symantec/symantec_antivirus
sudo ./symcfg add --key '\Symantec Endpoint Protection\AV\ProductControl\' --value 'Debug' --data 'ALL' --type REG_SZ

Repeat the command above with an empty --data string to turn vpdebug off. Restart rtvscand for settings change to take effect:

sudo service rtvscand restart

WARNING: SEP for Linux vpdebug logging will quickly grow quite large.


  • SEP 12.1.x
    LiveUpdate logging is saved by default to /opt/Symantec/LiveUpdate/liveupdt.log and is always on. The default liveupdt.log file path can be changed by editing /etc/liveupdate.conf. See The default contents of liveupdate.conf in SEP for Linux.
  • SEP 14 and newer
    LiveUpdate logging is saved by default to /opt/Symantec/LiveUpdate/Logs/lux.log

    Extended lux debug logging can be enabled by creating /etc/symantec/lux.logging.conf (NOT /etc/symantec/sep/...) with the following contents:
  • lux.logging.conf parameters are case sensitive.

    Multiple devlux_####.log files will be generated, each suffixed with the PID of the liveupdate process.

    You may optionally set "logger.sink=console,file" so that LiveUpdate command line (sav liveupdate -u) will also echo lux debug logging to stdout.  


Defutil logging is saved to /opt/Symantec/virusdefs/defutil.log (for example). The log name is specified in configuration below; "defutil.log" is used here, but any name may do. Defutil logging is helpful when the LiveUpdate log indicates a successful session, but definition updates are still not being applied. For example, "Failure in post processing" error seen at the command line when attempting to update definitions. To enable defutil logging, edit or create the following file: /etc/symc-defutils.conf, add a [defutillog] section if it does not exist, and add "defutillog_name=defutil.log".

Example entry in symc-defutils.conf:


In SEP 14.2 and newer, create empty defutil.log under /opt/Symantec/virusdefs directory first before editting symc-defutils.conf.


System event logging is saved by default to /var/symantec/Logs/syslog.log and is always on.

Events which can be observed in the system event log include:

  • A LiveUpdate session ran successfully
  • Applied new policy
  • Connected to Symantec Endpoint Protection Manager
  • Received a new policy 
  • Symantec Management Client has been started/stopped
  • The client has successfully downloaded and applied license file