Finding client content download events in Endpoint Protection Manager logs


Article ID: 210377


Updated On:


Endpoint Protection


You want to find logs for content that SEP (Symantec Endpoint Protection) clients have downloaded, including download source and file type.


Helps determine:

  • if content downloads are happening
  • if they were downloaded from a SEPM (Symantec Endpoint Protection Manager) or GUP (Group Update Provider)
  • if the file was a .dax (delta content), or


  1. Open the SEPM and navigate to the Monitors page
  2. Go to the Logs tab
  3. Set the Log type to System
  4. Set the Log content to Client Activity
  5. Set the Time range to the desired value
  6. Click Additional Settings
  7. In the Event source field, remove the * and enter: cve
  8. Set the Limit of entries per page to the desired value
  9. Click View Log

Logs may be exported to a csv file for filtering in a spreadsheet application. Downloads from a source with port 8014 or 443 are typically from a SEPM, and port 2967 is from a GUP.