Symantec Endpoint Protection collects information about the security events in your network. You can use log and reports to view these events, and you can use notifications to stay informed about the events as they occur.

1. MODULE 19: ADVANCED
MONITORING AND REPORTING
1

2. MONITORING THE HOME AND MONITORS
PAGE
Symantec Endpoint Protection collects information about the security
events in your network. You can use log and reports to view these
events, and you can use notifications to stay informed about the events
as they occur.
You can use the reports and logs to determine the answers to the
following kinds of questions:
■ Which computers are infected?
■ Which computers need scanning?
■ What risks were detected in the network?
2

3. MONITORING THE HOME AND MONITORS
PAGE
Logging on to reporting from a stand-alone Web browser
You can access the Home, Monitors, and Reports page functions from a
stand-alone Web browser that is connected to your management
server.
You can perform all the reporting functions from a stand-alone Web
browser.
However, all of the other console functions are not available when you
use a stand-alone browser.
3

4. ANALYZING AND MANAGING LOGS
You can generate a list of events to view from your logs that are
based on a collection of filter settings that you select.
Each log type and content type have a default filter configuration
that you can use as-is or modify.
You can also create and save new filter configurations.
These new filters can be based on the default filter or on an existing
filter that you created previously.
If you save the filter configuration, you can generate the same log
view at a later date without having to configure the settings each
time.
You can delete your customized filter configurations if you no longer
need them.
4

5. ANALYZING AND MANAGING LOGS
Because logs contain some information that is collected at
intervals, you can refresh your log views.
To configure the log refresh rate, display the log and select from the
Auto-Refresh list box at the top right on that log's view.
Reports and logs always display in the language that the
management server was installed with.
To display these when you use a remote Symantec Endpoint Protection
Manager console or browser, you must have the appropriate font
installed on the computer that you use.
5

6. ANALYZING AND MANAGING LOGS
Logs contain records about client configuration changes, securityrelated activities, and errors.
These records are called events. The logs display these events with
any relevant additional information.
Security-related activities include information about virus
detections, computer status, and the traffic that enters or exits the
client computer.
Logs are an important method for tracking each client computer’s
activity and its interaction with other computers and networks.
6

7. ANALYZING AND MANAGING LOGS
You can use this data to analyze the overall security status of the
network and modify the protection on the client computers. You can
track the trends that relate to viruses, security risks, and
attacks. If several people use the same computer, you might be able
to identify
who introduces risks, and help that person to use better precautions.
You can view the log data on the Logs tab of the Monitors page.
7

8. ANALYZING AND MANAGING LOGS
The management server regularly uploads the information in the logs
from the clients to the management server.
You can view this information in the logs or in reports.
Because reports are static and do not include as much detail as the
logs, you might prefer to monitor the network by using logs.
8

9. ANALYZING AND MANAGING LOGS
Saving and deleting custom logs by using filters
You can construct custom filters by using the Basic Settings and
Advanced Settings to change the information that you want to see.
You can save your filter settings to the database so that you can
generate the same view again in the future.
When you save your settings, they are saved in the database.
The name you give to the filter appears in the Use a saved filter list
box for that type of logs and reports.
9

10. ANALYZING AND MANAGING LOGS
Viewing logs from other sites
If you want to view the logs from another site, you must log on to a server
at the remote site from the Symantec Endpoint Protection Manager
console.
If you have an account on a server at the remote site, you can log on
remotely and view that site's logs.
If you have configured replication partners, you can choose to have all
the logs from the replication partners copied to the local partner and vice
versa.
If you choose to replicate logs, by default you see the information from
both your site and the replicated sites when you view any log. If you want
to see a single site, you must filter the data to limit it to the location you
want to view.
10

11. ANALYZING AND MANAGING LOGS
Running commands from the computer status log
From the Computer Status log, you can take the following kinds of
actions on
client computers:
■ Run scans or cancel scans.
■ Restart the computers.
■ Update content.
■ Enable or disable several of the protection technologies.
11

12. ANALYZING AND MANAGING LOGS
You can also right-click a group directly from the Clients page of the
Symantec Endpoint Protection Manager console to run commands.
From the Command Status tab, you can view the status of the
commands that you have run from the console and their details. You
can also cancel a specific scan from this tab if the scan is in progress.
You can cancel all scans in progress and queued for selected clients. If
you confirm the command, the table refreshes and you see that the
cancel command is added to the command status table.
12

13. ANALYZING AND MANAGING LOGS
If you run a Restart Client Computer command from a log, the
command is sent immediately.
Users that are logged on to the client are warned about the restart
based on the options that the administrator has configured for that
client.
You can configure client restart options on the General Settings tab.
13

14. CONFIGURING AND VIEWING
NOTIFICATIONS
Notifications alert administrators and computer users about potential
security problems.
Some notification types contain default values when you configure
them.
These guidelines provide reasonable starting points depending on the
size of your environment, but they may need to be adjusted. Trial and
error may be required to find the right balance between too many
and too few notifications for your environment.
Set the threshold to an initial limit, then wait for a few days.
After a few days, you can adjust the notifications settings.
14

15. CONFIGURING AND VIEWING
NOTIFICATIONS
For virus, security risk, and firewall event detection, suppose that you
have fewer than 100 computers in a network.
A reasonable starting point in this network is to configure a
notification when two risk events are detected within one minute.
If you have 100 to 1000 computers, detecting five risk events within
one minute may be a more useful starting point.
You manage notifications on the Monitors page. You can use the
Home page to determine the number of unacknowledged notifications
that need your attention.
15

16. CONFIGURING AND VIEWING
NOTIFICATIONS
How notifications work
Notifications alert administrators and users about potential security
problems.
For example, a notification can alert administrators about an expired
license or a virus infection.
Events trigger a notification. A new security risk, a hardware change
to a client computer, or a trialware license expiration can trigger a
notification.
Actions can then be taken by the system once a notification is
triggered. An action might record the notification in a log, or run a
batch file or an executable file, or send an email.
16

17. CONFIGURING AND VIEWING
NOTIFICATIONS
Establishing communication between the management server and
email servers
For the management server to send automatic email notifications, you
must configure the connection between the management server and
the email server.
17

18. CONFIGURING AND VIEWING
NOTIFICATIONS
Viewing and acknowledging notifications
You can view unacknowledged notifications or all notifications. You can
acknowledge an unacknowledged notification. You can view all the
notification conditions that are currently configured in the console.
18

19. CONFIGURING AND VIEWING
NOTIFICATIONS
Saving and deleting administrative notification filters
You can use filters to expand or limit your view of administrative
notifications in the console. You can save new filters and you can
delete previously saved filters.
19

20. CONFIGURING AND VIEWING
NOTIFICATIONS
Setting up administrator notifications
You can configure notifications to alert you and other administrators
when particular kinds of events occur. You can also add the conditions
that trigger notifications to remind you to perform important tasks. For
example, you can add a notification condition to inform you when a
license has expired, or when a security risk has been detected.
When triggered, a notification can perform specific actions, such as
the following:
■ Log the notification to the database.
■ Send an email to one or more individuals.
■ Run a batch file.
20

21. CONFIGURING AND VIEWING
NOTIFICATIONS
Setting up administrator notifications
You choose the notification condition from a list of available notification types.
Once you choose the notification type, you then configure it as follows:
■ Specify filters.
Not all notification types provide filters. When they do, you can use the filters to
limit the conditions that trigger the notification. For example, you can restrict a
notification to trigger only when computers in a specific group are affected.
■ Specify settings.
All notification types provide settings, but the specific settings vary from type to
type. For example, a risk notification may allow you to specify what type of scan
triggers the notification.
■ Specify actions.
All notification types provide actions you can specify.
21

22. CREATING AND REVIEWING REPORTS
Configuring reporting preferences
You can configure the following reporting preferences:
■ The Home and Monitors pages display options
■ The Security Status thresholds
■ The display options that are used for the logs and the reports, as
well as legacy log file uploading
22

23. CREATING AND REVIEWING REPORTS
The following categories of reports are available:
■ Quick reports, which you run on demand.
■ Scheduled reports, which run automatically based on a schedule that
you configure.
Reports include the event data that is collected from your management
servers as well as from the client computers that communicate with those
servers.
You can customize reports to provide the information that you want to see.
The quick reports are predefined, but you can customize them and save
the filters that you used to create the customized reports. You can use the
custom filters to create custom scheduled reports.
When you schedule a report to run, you can configure it to be emailed to
one or more recipients.
23

24. CREATING AND REVIEWING REPORTS
A scheduled report always runs by default. You can change the
settings for any scheduled report that has not yet run.
You can also delete a single scheduled report or all of the scheduled
reports.
You can also print and save reports.
24

25. CREATING AND REVIEWING REPORTS
Running and customizing quick reports
Quick reports are predefined, customizable reports.
These reports include event data collected from your management
servers as well as the client computers that communicate with those
servers.
Quick reports provide information on events specific to the settings
you configure for the report.
You can save the report settings so that you can run the same report
at a later date, and you can print and save reports.
25

26. CREATING AND REVIEWING REPORTS
Saving and deleting custom reports
You can save custom report settings in a filter so that you can
generate the report again at a later date.
When you save your settings, they are saved in the database.
The name that you give to the filter appears in the Use a saved filter
list box for that type of logs and reports.
26

27. CREATING AND REVIEWING REPORTS
Creating scheduled reports
Scheduled reports are the reports that run automatically based on the
schedule that you configure.
Scheduled reports are emailed to recipients, so you must include the email
address of at least one recipient.
After a report runs, the report is emailed to the recipients that you
configure as an .mht file attachment.
The data that appears in the scheduled reports is updated in the
database every hour.
At the time that the management server emails a scheduled report, the
data
in the report is current to within one hour.
27

28. CREATING AND REVIEWING REPORTS
Editing the filter used for a scheduled report
You can change the settings for any report that you have already
scheduled.
The next time the report runs it uses the new filter settings.
You can also create additional scheduled reports, which you can base
on a previously saved report filter.
28

29. CREATING AND REVIEWING REPORTS
Printing and saving a copy of a report
You can print a report or save a copy of a Quick Report.
You cannot print scheduled reports.
A saved file or printed report provides a snapshot of the current data
in your reporting database so that you can retain a historical record.
29

30. INTRODUCING IT ANALYTICS
The IT Analytics Symantec Endpoint Protection Pack is an advanced
reporting solution that leverages business intelligence capabilities and
robust graphical reporting to provide a unified and comprehensive
view of the clients, alerts, and scan activity.
30