How does the client computer and the management server communicate?

Symantec Endpoint Protection Manager
connects to the client with a communications file called Sylink.xml. The Sylink.xml file includes the communication settings such as the IP address of the management server and the heartbeat interval. After you install a client installation package on to the client computers, the client and the server automatically communicate.
The sylink file performs many of its functions during the heartbeat. The heartbeat is the frequency at which client computers upload logs to the management server, and download policies and commands.
The sylink file contains:
  • The public certificate for all management servers.
  • The KCS, or encryption key.
  • The Domain ID that each client belongs to.
Do not edit the sylink file. If you change the settings, the management server overwrites most settings the next time the client connects to the management server.
For more information, see:
Troubleshooting Sylink communication
In version 14.2, the communications module was upgraded, and includes new log files. You can use this information to troubleshoot communication issues between
Symantec Endpoint Protection Manager
and the clients.
The 14.2 communications module works with all client types, including Windows, Mac, and Linux, and has improved IPv6 support.
As of version 14.2, the communication module only honors system proxy information.
  1. To troubleshoot Sylink communication
  2. To view the log files for the communications module, on the Windows client, in the following folder:
    C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data
    You can view the following files:
    • For client registration:
      • RegistrationInfo.xml
        Client registration metadata that the client submits to
        Symantec Endpoint Protection Manager
      • Registration.xml
        Client registration metadata that
        Symantec Endpoint Protection Manager
        returns to the client.
      • State.xml
        Includes internal settings, such as the management server IP address.
    • For the communications module logs:
      Use these logs to troubleshoot communication between
      Symantec Endpoint Protection Manager
      and the client. Send these logs to Technical Support if asked.
    • For the opstate status:
      Appears in the logs in the
  3. To configure the communication module logs, open the Windows Registry Editor, click
    , type
    , and then click
  4. To enable the cve.log or cve-actions.log, open the following Windows registry key:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink REG_DWORD: CVELogLevel
    Use any of the following values:
    • 1 = Debug
    • 2 = Info
    • 3 = Warning
    • 4 = Error
    • 5 = Fatal
    If the registry key is not present or does not have a valid value, it defaults to 4. The installation default is also 4.
    For example, you can type:
    [HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink] "CVELogLevel"=dword:00000001
    [HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink] "CVELogLevel"=dword:00000001
  5. To control the size of these logs, use the following registry value:
    The default size is 250 MB.