Symantec 12 traffic

I am working on a network that runs sep12 console. Remote clients connect into the console for policy changes, log uploads and virus def's. I can see lots of port 8014 traffic but how do I know if this traffic relates to the def downloads or if this relates to log files. I want to separate out the two so I have a clear view on exactly how much data is crossing the link.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Can check client activity log e.g. Goto Monitors > Logs > Log type=System > Log content=Client Activity ..there should have some event type column stated in the listing
- See "How can we check which content SEP 12.1 clients are downloading from GUP?"

Or even have GUP Monitor configured.
See  -

in case of client troubleshooting for the heavy traffic, see "Troubleshooting Client Communication"

But do note that on the client machine, there can be more log in default path such as C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Data\Logs\AV which depends on the log rotation and retention configured in SEP client's setting (e.g. Clients > My Company > Policies tab > Client Log Settings ). You may see discrepancies with SEPM and Client log as the retention period at each is not really in sync per say. SEPM tends to be shorter since it is seeing most clients - See this
Insufficent log retension settings to accomplish a 60 day report.

By default, a SEPM is configured to hold 10,000 entries of System Client-Server Activity logs. Depending on the amount of activity on a set of client and the number of clients attached to a SEPM, this limit may not be large enough to hold 60 days of data.
Sid_FAuthor Commented:
Thanks, just a few queries on the gup end and please excuse my ignorance for some of this!

If a client is configured for a gup does it scan its local network or does it need to be told the ip of the gup
Can a client be configured to look for a gup first and then go externally to Symantec for its updates if it doesn't find the gup?

btanExec ConsultantCommented:
See the GUP configuration,
To configure a single Group Update Provider

In the Group Update Provider dialog box, under Group Update Provider Selection for Client, click Single Group Update Provider IP address or host name....
When you configure an explicit list of Group Update Providers, you can specify that Symantec Endpoint Protection clients with IP addresses that fall on a particular subnet should use a particular Group Update Provider. Note that a client may have multiple IP addresses and that Symantec Endpoint Protection considers all of its IP addresses when it matches the Group Update Provider to use. So, the IP address that the policy matches to is not necessarily bound to the interface that the client uses to communicate with the Group Update Provider.

For example, suppose that a client has IP address A, which it uses to communicate with the Symantec Endpoint Protection Manager and with the Group Update Provider. This same client also has IP address B, which is the one that matches the Explicit Group Update Provider that you have configured in the LiveUpdate Settings policy for this client. The client can choose to use a Group Update Provider based on the address B, even though that is not the address that it uses to communicate with the Group Update Provider.
To search for the clients that act as Group Update Providers, follow these steps:

In the console, click Clients.
On the Clients page, on the Clients tab, in the View box, select Client status.
In the Tasks pane, click Search Clients.
In the Find box, select Computers.
In the In Group box, specify the group name.
Under Search Criteria, in the Search Field column, select Group Update Provider.
Under Search Criteria, in the Comparison Operator column, select =.
Under Search Criteria, in the Value column, select True. Click Help for information on the search criteria.
Click Search

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Sid_FAuthor Commented:
Great response thank you.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.