How Can We Help?

Search for answers or browse our knowledge base.

Documentation | Demos | Support

< All Topics

How to obtain the Symantec DLP Server Log files: location and description

DLP provides many operational log files that can be used to interpret how the system is running.

In DLP 15.0 and earlier, the log folders are found in the following locations:

Linux: /var/log/SymantecDLP/

Windows: SymantecDLPProtectlogs

In DLP 15.1 and newer, the log folders are found in the following locations:


C:ProgramDataSymantecData Loss PreventionEnforce Server15.1logs

C:ProgramDataSymantecData Loss PreventionDetection Server15.1logs


/var/log/Symantec/DataLossPrevention/Enforce Server/15.1/

/var/log/Symantec/DataLossPrevention/Detection Server/15.1/

Log File Name Description Server
Aggregator0.log This file describes communications between the detection

server and the agents.

Look at this log to troubleshoot the following problems:

¦ Connection to the agents

¦ To find out why incidents do not appear when they should

¦ If unexpected agent events occur

Endpoint detection


BoxMonitor0.log This file is typically very small, and it shows how the application processes are running. The BoxMonitor process oversees the detection server processes that pertain to that particular server type. For example, the processes that run on Network Monitor are file reader and packet capture. All detection servers
ContentExtractor0.log This log file may be helpful for troubleshooting

ContextExtractor issues.

All detection servers,

Enforce Server

DiscoverNative.log.0 Contains the log statements that the Network Discover native code emits. Currently contains the information that is related to ,pst scanning. This log file applies only to the Network Discover Servers that run on Windows platforms. Discover detection


FileReader0.log This log file pertains to the file reader process and contains application-specific logging, which may be helpful in resolving issues in detection and incident creation. Look at this log file to find out why an incident was not detected. One symptom that shows up is content extractor timeouts All detection servers
IncidentPersister0.log This log file pertains to the Incident Persister process. This process reads incidents from the incidents folder on the Enforce Server, and writes them to the database. Look at this log if the incident queue on the Enforce Server (manager) grows too large. This situation can be observed also by checking the incidents folder on the Enforce Server to see if incidents have backed up. Enforce Server
Indexer0.log This log file contains information when an EDM profile is indexed. It also includes the information that is collected when the external indexer is used. If indexing fails then this log should be consulted. Enforce Server (or

computer where the

external indexer is


jdbc.log This log file is a trace of JDBC calls to the database. By default, writing to this log is turned off. Enforce Server
MonitorController0.log This log file is a detailed log of the connections between the  Enforce Server and the detection servers. It gives details around the information that is exchanged between these servers including whether policies have been pushed to the detection servers or not. Enforce Server
PacketCapture.log This log file pertains to the packet capture process that

reassembles packets into messages and writes to the

drop_pcap directory. Look at this log if there is a problem

with dropped packets or traffic is lower than expected.

PacketCapture is not a Java process, so it does not follow the same logging rules as the other Symantec Data Loss

Prevention system processes.

All detection servers
PacketCapture0.log This log file describes issues with PacketCapture


All detection servers
RequestProcessor0.log This log file pertains to SMTP Prevent only. The log file is primarily for use in cases where SmtpPrevent_operational0.log is not sufficient. SMTP Prevent

detection servers

ScanDetail-target-0.log Where target is the name of the scan target. All white spaces in the target’s name are replaced with hyphens. This log file pertains to Discover server scanning. It is a file by file record of what happened in the scan. If the scan of the file is successful, it reads success, and then the path, size, time, owner, and ACL information of the file scanned. If it failed, a warning appears followed by the file name. Discover detection


SmtpPrevent_operational0.log This operational log file pertains to SMTP Prevent only. It is the primary log for tracking health and activity of a Mail Prevent system. Look at this file for information on the communications between the MTA and detection server. SMTP Prevent

detection servers

TomcatLocalhost.<date>.log This log file contains information for any action that involves  the user interface. The log includes the User Interface red error message box, password fails when logging on ) and Oracle errors (ORA –#). Enforce Server
Tomcat Localhost_access_log.<date>.txt


This log contains the record of all URLs requested. Enforce Server
VontuIncidentPersister.log This log file contains minimal information –stdout and stderr  only (fatal events). Enforce Server
VontuManager.log This log file contains minimal information –stdout and stderr  only (fatal events). Enforce Server
VontuMonitor.log This log file contains minimal information –stdout and stderr  only (fatal events). All detection servers
VontuMonitorController.log This log file contains minimal information –stdout and stderr  only (fatal events). Enforce Server
VontuNotifier.log This log file pertains to the Notifier service and its

communications with the Enforce Server and the

MonitorController service. Look at this file to see if the

MonitorController service registered a policy change

Enforce Server
VontuUpdate.log This log file is populated when Symantec Data Loss

Prevention is updated.

Enforce Server
WebPrevent_Access0.log This access log file pertains to Web Prevent only. It records all the requests that Web Prevent processes. It is similar to Web access logs for a proxy server. Web Prevent

detection servers

WebPrevent_Operational0.log This operational log file pertains to Web Prevent only. It

reports the operating condition of Web Prevent such as

whether the system is up or down, connection management, and so on. This log is the primary log file for tracking Web Prevent operations.

Web Prevent

detection servers

Was this article helpful?
0 out of 5 stars
5 Stars 0%
4 Stars 0%
3 Stars 0%
2 Stars 0%
1 Stars 0%
How can we improve this article?
Please submit the reason for your vote so that we can improve the article.
Previous How to Obtain a Broadcom/Symantec Support Site ID
Next How to restart Symantec DLP services (14.6-15.0)
Table of Contents