Finding client content download events in Endpoint Protection Manager logs

book

Article ID: 210377

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

You want to find logs for content that SEP (Symantec Endpoint Protection) clients have downloaded, including download source and file type.

Cause

Helps determine:

  • if content downloads are happening
  • if they were downloaded from a SEPM (Symantec Endpoint Protection Manager) or GUP (Group Update Provider)
  • if the file was a .dax (delta content), or full.zip

Resolution

  1. Open the SEPM and navigate to the Monitors page
  2. Go to the Logs tab
  3. Set the Log type to System
  4. Set the Log content to Client Activity
  5. Set the Time range to the desired value
  6. Click Additional Settings
  7. In the Event source field, remove the * and enter: cve
  8. Set the Limit of entries per page to the desired value
  9. Click View Log

Logs may be exported to a csv file for filtering in a spreadsheet application. Downloads from a source with port 8014 or 443 are typically from a SEPM, and port 2967 is from a GUP.