Symantec Endpoint Protection Manager log processing is slow with error 1314 in the agentlogcollector logs.

Article:TECH176176  |  Created: 2011-12-05  |  Updated: 2012-04-05  |  Article URL http://www.symantec.com/docs/TECH176176
Article Type
Technical Solution


Issue



Log processing is running slower or not processing logs at all with a SEPM connected to a SQL database.  There may be a build-up of .dat files in /data/inbox/agentinfo or /data/inbox/logs/*.  

 


Error



Following error can be observed in agentlogcollector logs: 

2011-10-30 14:50:30.999 THREAD 38 FINE: Batch mode is on backup.
2011-10-30 14:50:31.124 THREAD 38 FINE: logTableName: AGENT_TRAFFIC_LOG_INSERT_2D3C10DA0A01BC4F00D6F628FD48F676 fileName:A7D74C790A01BC4F0061146BB00E13E1.tmp.dat
2011-10-30 14:50:31.124 THREAD 38 FINE: Database major version: 10
2011-10-30 14:50:31.155 THREAD 38 FINE: SQLException:  Failed to load data: CreateProcessAsUser failed with error 1314: A required privilege is not held by the client.

 Using batch handler

2011-10-30 14:50:31.171 THREAD 38 FINE: Batch size: 2000
2011-10-30 14:50:31.280 THREAD 38 FINE: Batch update record count: 2000
2011-10-30 14:52:11.030 THREAD 38 FINE: Batch update record count: 2000
2011-10-30 14:53:49.326 THREAD 38 FINE: Batch update record count: 2000
2011-10-30 14:55:30.686 THREAD 38 FINE: Batch update record count: 2000
2011-10-30 14:57:13.496 THREAD 38 FINE: Batch update record count: 2000
2011-10-30 14:59:01.556 THREAD 38 FINE: Batch update record count: 2000
2011-10-30 15:00:52.168 THREAD 38 FINE: Batch update record count: 2000
2011-10-30 15:02:32.559 THREAD 38 FINE: Batch update record count: 1086
2011-10-30 15:03:04.930 THREAD 38 FINE: File (roll up): C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\inbox\log\traffic\A7D74C790A01BC4F0061146BB00E13E1.tmp.dat 9.5 KB/s


Environment



SEPM connected to a SQL server using Windows Authentication.
Can happen on both SEP 11.0 and 12.1
SEPM service running under custom service account.


Cause



The SEPM service is trying to spawn BCP processes under the account used for Windows authentication on the SQL server. However it fails to do so because the SEPM service account lacks the "Replace a process level token" privilege locally on the SEPM server.
This will happen even if the SEPM is running under the same service account that is used to authenticate to the detabase.


Solution



Grant the "Replace a process level token" privilege to the account used to run the SEPM service in the local security policy on the SEPM.

- Open the Local Security Policy MMC (secpol.msc)
- Expand "Local Policies - Users Right Assignment.
- Add the service account to the "Replace a process level token" privilege.

The change may require a restart to take effect.
 




Article URL http://www.symantec.com/docs/TECH176176


Terms of use for this information are found in Legal Notices