You want to know what logs can be reviewed to confirm that Symantec Endpoint Protection 12.1 (SEP) clients are downloading content from Group Update Providers (GUPs) instead of from the Symantec Endpoint Protection Manager (SEPM).
This information can be viewed both in the SEP client and also in logs on the SEPM.
Viewing this information in the SEP client:
The SEP client will log the time and source location when it downloads new content in the SEP client's System log. To open the System log, follow these steps:
- Double-click the SEP system tray icon
- Click View Logs
- Click View Logs next to Client Management
- Click System Log
- Click Filter and set the time range appropriately. The default is 1 day.
- Look in the Summary column for events which begin with "Downloaded new content update from Group Update Provider successfully." The full remote file path can be reviewed by clicking the event.
Note: If the SEP client downloads an update from the SEPM, it will log this event in the SEP client's System log with an event which reads "Downloaded new content update from the management server successfully."
Viewing this information in the SEPM:
The SEPM has logs which will report the time, name, and source of any content SEP clients downloads. This includes content downloaded from GUPs. To get a list of where SEP clients are downloading definitions from a centralized location, follow the steps below:
- Login to the SEPM
- Click Monitors > Logs
- Set Log type to System
- Set Log content to Client Activity
- Select an appropriate time range
- Click Advanced Settings
- In Event source, type: sylink
- In Computer, type the name of the computer to filter by (if so desired). Leaving this alone will show results for all SEP clients.
- Click View Log
- Review the Description column to determine where SEP clients are downloading updates. If the SEP client is successfully downloading content from a GUP, there will be entries which read "Downloaded new content update from Group Update Provider successfully."