You want to know how to manage log data in Symantec Endpoint Protection Manager (SEPM).
You can configure a number of options to manage the logs that are stored in the database.
The data from all the logs that are uploaded to the console are stored in the console database.
Data is stored in two tables in the database from the following types of logs:
The data from other logs is stored in a single table. You can set the log options for managing the database logs that are stored in two tables.
The single table that contains the other logs' data is managed by using the database maintenance options in the site properties. You can set the database maintenance options that affect the data that is stored in a single table. For the logs that are stored in two tables, one table (table A) is the current log table. New log entries are written into this table. When the log threshold or expiration occurs, new log entries are stored in the second table (table B). The data remains in table A until table B reaches its threshold or the number of days that is specified in the Expired after field. At that time, table A is cleared completely and new entries are stored there. The information in table B remains until the switch occurs. Switching from one table to the other, also called sweeping the logs from the database, occurs automatically. The timing of the switch depends on the log settings that you set in the site properties. The process is the same regardless of whether the sweep is automatic or manual.
You can perform a manual log sweep after backing up the database, if you prefer to use this method as part of routine database maintenance.
If you allow an automatic sweep to occur, you may lose some log data if your database backups do not occur frequently enough. If you regularly perform a manual log sweep after you have performed a database backup, it ensures that you retain all your log data. This procedure is very useful if you must retain your logs for a relatively long period of time, such as a year.
Note: The manual procedure that is described below does not affect the data in the logs that are stored in a single table in the database.
You can manually clear the logs, but this procedure is optional and you do not have to do it.
The Symantec Endpoint Protection reporting functions use a temporary folder, drive:\Program Files(x86)\Symantec\Symantec Endpoint Protection Manager\Inetpub\Reporting\Temp, for several purposes. Some administrators may want to schedule their own automated tasks to periodically clean this temporary folder.
To help control disk space usage, you can configure the number of entries that are kept on the server in a site's logs. You can also configure the number of days the entries are kept. You can configure different settings for the different sites.
Note: Log information on the console Logs tab on the Monitors page is presented in logical groups for you to view. The log names on the Site Properties Log Settings tab correspond to log content rather than to log types on the Monitors page Logs tab.
For a description of each configurable option, you can click Tell me more for that type of report on the console. Tell me more displays the context-sensitive help.
You configure event aggregation for client logs in two locations on the console.
Use this location to configure the aggregation for risk events. The default aggregation time is 5 minutes. The first occurrence of an event is immediately logged. Subsequent occurrences of the same events are aggregated and the number of occurrences is logged on the client every 5 minutes.
Use this location to configure the aggregation of Network Threat Protection events. Events are held on the clients for the damper period before they are aggregated into a single event and then uploaded to the console. The damper period helps to reduce events to a manageable number. The default damper period setting is Auto (Automatic). The damper idle period determines the amount of time that must pass between log entries before the next occurrence is considered a new entry. The default damper idle is 10 seconds. On the Clients page, Policies page, Client Log Settings
If you have installed Symantec Endpoint Protection, you can configure some client log options. You can configure the number of entries kept in the logs and the number of days that each entry is kept on the client. You can configure settings for the following client logs:
For the Security, Risk, and Traffic logs, you can also configure the damper period and the damper idle period to be used for event aggregation. You can configure whether or not to upload each type of client log to the server, and the maximum size of the uploads.
If you choose not to upload the client logs, it has the following consequences:
You can configure the following log handling options for antivirus and antispyware policies:
Log data is not backed up unless you configure Symantec Endpoint Protection to back it up. If you do not back up the logs, then only your log configuration options are saved during a backup. You can use the backup to restore your database, but the logs in the database are empty of data when they are restored. This configuration option is located with the other backup options for local sites on the Servers page of the Admin page. You can choose to keep up to ten versions of site backups. You should ensure that you have adequate disk space to keep all your data if you choose to keep multiple versions.
If you have a large number of clients, you may have a large volume of client log data.
You should consider whether or not you want to reduce the volume of data by using the following configurations:
If you still plan to upload very large amounts of client log data to a server, you need to consider the following factors:
A configuration that uploads a large volume of client log data to the server at frequent intervals can cause space problems. If you must upload a large volume of client log data, you may have to adjust some default values to avoid these space problems. As you deploy to clients, you should monitor the space on the server in the log insertion directory and adjust these values as needed. The default directory where the logs are converted to .dat files and then written into the database is drive:\Program Files(x86)\Symantec\Symantec Endpoint Protection Manager\data\inbox\log. The location of the server data directory is set during installation when you are asked to select the server data folder. You can run the Management Server Configuration Wizard from the Start menu to change this directory if desired. The \inbox\log directory is automatically added to the directory you set.
The frequency with which the client logs are uploaded is configured on the Policies page of the Clients page, under Communications Settings. The default frequency is to upload the logs every five minutes.
To adjust the values that control the space available on the server, you must change these values in the registry. The registry keys that you need to change are located on the server in:
The database receives and stores a constant flow of entries into its log files. You must manage the data that are stored in the database so that the stored data does not consume all the available disk space. Too much data can cause the computer on which the database runs to crash.
You should understand your default database maintenance settings and change them if the disk space that the database uses seems to grow constantly. If there is a large spike in risk activity, you may need to delete some data to protect the available disk space on the server.
Administrators can configure database maintenance options for the data that are stored in the logs. Database maintenance options help you to manage the size of your database by specifying compression settings and how long to keep data.
For information about the specific database maintenance options, refer to the context-sensitive help on the Site Properties for site name dialog box Database tab.
To configure database maintenance options for logs
If you choose to use the embedded database with Symantec Endpoint Protection or Symantec Network Access Control, you should note the following information. When you run the database application named Interactive SQL (dbisqlc.exe), it blocks the insertion of data into the embedded database. If you use the application for a while, .dat files accumulate in the drive:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\inbox\log directories.
To alleviate the buildup of the .dat files and restart data insertion into the database, close the application.
If database errors occur when you view reports or logs that contain a lot of data,
you can make the following changes:
The reporting defaults for these values are as follows:
If you get CGI or terminated process errors, you might want to change other timeout parameters. See the Symantec Knowledge Base article called "Reporting server does not report or shows a timeout error message when querying large amounts of data."
* $CommandTimeout = ####
* $ConnectionTimeout = ####
Timeout values are in seconds. If you specify zero, or leave the fields blank, the default settings are used.
If the System Log becomes corrupted on a 64-bit client, you may see an unspecified error message in the system logs on the console. If corrupted, you cannot view the data in the log on the client and the data does not upload to the console. This condition can affect data in the console Computer Status, Risk, and Scan logs and reports.
To correct this condition, you can delete the corrupted log file and the serialize.dat file on the client. These files are located on the client in Drive:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Logs\AV\date.Log. After you delete these files, the log file is recreated and begins to log entries correctly.
When running this command in a browser window:
https://localhost:8443/servlet/ConsoleServlet?ActionType=ConfigServer&action=SweepLogs
On screen, the following message is displayed:
<?xml version="1.0" encoding="UTF-8"?>
<Response ResponseCode="0"/>
This is the expected output. It is not an error.
With SEP 14, add the following to the conf.properies file, to allow the command to run.
scm.configserver.allowed.actions=SweepLogs
To confirm that action has been taken, examine the server logs in the Admin, Servers section of the GUI console. There should be an entry listed similar to:
May 21, 20xx 11:22:59 AM BST: Some logs have been swept. [Site: Site Your_Site_Name] [Server: Your_Server_Name]
May 21, 20xx 12:13:04 PM BST: Some logs have been swept. [Site: Site Your_Site_Name] [Server: Your_Server_Name]