Configuring Endpoint Protection Client Logging and External Logging
Article ID: 178940
Updated On:
Products
Issue/Introduction
Symantec Endpoint Protection (SEP) Admins need information for configuring SEP clients and SEPM to forward logged data.
Environment
On-Prem SEP environment.
Resolution
Overview
Endpoint Protection allows for clients to report their log information to the Symantec Endpoint Protection Manager (SEPM). This client logging can be done with or without using external logging. Either way, this allows for reports to be created in the SEPM console. These reports can be viewed or saved to external files.
The external logging feature in the SEPM allows for compiling logged data forwarded to or created on a SEPM server.
These two options are:
- Exporting log data to a dump file (this file is used by some SIEM vendors to "scrape" data)
- Exporting log data directly to an external logging server.
Both options are configured in the SEPM console. The following is a high-level overview of the related logging options.
Obtaining Log Files from Managed Clients
Generally, it is desirable to gather log data from managed Endpoint Protection clients. There are two locations in the SEPM to configure logging options for clients and to instruct them to send logged data to the SEPM.
Note: It is important to consider disk space requirements on the SEPM and on the clients when gathering log data from clients.
Location 1 is in the Clients section > Policies tab > Client Log (At top under Location-independent Policies and Settings). Settings screen, shown here:
Location 2 is in the Virus and Spyware Protection policy applied to clients. Note that there could be multiple policies for managing a variety of clients and each policy assigned to clients will require logging configuration. (If groups inherit settings from the parent site, only the parent site will need to be modified.)
When editing a policy, a new screen will appear over the main SEPM screen that contains the logging options. This is in Policies section > Virus and Spyware policy > Miscellaneous page > Log Handling tab, as shown here:
Configuring External Logging in the SEPM Console
Now that clients are sending log data to the SEPM, it may be desirable to save that log data externally to an external logging server.
To configure external logging, browse to the following location in the SEPM console:
Admin Policies section > Servers Page > Click/select Local Site > Configure External Logging
The dump file location, by default, is ...\Symantec Endpoint Protection Manager\data\dump
Note: The above files will not start to generate until the administrator defines which logs to dump as shown below:
Feedback
