Symantec Network Security console stops displaying new events after installing the Remote_importer utility

Article:TECH112652  |  Created: 2005-01-12  |  Updated: 2005-01-30  |  Article URL http://www.symantec.com/docs/TECH112652
Article Type
Technical Solution


Environment

Issue



After you install and configure the Remote Importer utility on a Symantec Network Security 7100 Series appliance or a Symantec Network Security 4.0 node, the console stops displaying new events and incidents. It appears as though incidents and events disappear from the console after a few minutes. You also cannot generate reports. Restarting the computer does not fix the problem.


Solution



This problem happens because the Remote Importer agent restarts the Eventwriterd file. To temporarily fix this problem, restart the Symantec Network Security services. The problem is fixed until you restart the computer.

To prevent this problem, edit the startup script, which is the /usr/SNS/etc/init.d/manhunt file, to add the -P show parameter to the Eventwriterd entry. When Eventwriterd starts with this parameter, the Remote Importer does not restart Eventwriterd.

In the /usr/SNS/etc/init.d/manhunt file, find the following line:

runprog eventwriterd ${MHLOC}/bin/eventwriterd

Change this line to the following:

runprog eventwriterd "${MHLOC}/bin/eventwriterd -P show"



Technical Information
Though Symantec ManHunt does not exhibit this problem in the same way as Symantec Network Security, restarting the ManHunt services temporarily re-enables ManHunt, and adding the -P show parameter to Eventwriterd prevents related problems.


The Remote Importer agent forwards data from Symantec Network Security to the Symantec Security Operations Center (SOC). Data from SOC is used by Symantec Managed Services.



Legacy ID



2005011215415653


Article URL http://www.symantec.com/docs/TECH112652


Terms of use for this information are found in Legal Notices