Remediating Log Buildup On Symantec Critical System Protection Agent
|Article:TECH190859|||||Created: 2012-06-12|||||Updated: 2012-06-12|||||Article URL http://www.symantec.com/docs/TECH190859|
There is a large buildup of log files on the agent machine. The files are named either SISRTEventsXX.csv or SISIDSEventsXX.csv or both.
This can be caused by:
- Communication is broken between the agent and the manager
- The common configuration is not set to have the agents purge the files after processing them
- The HIDS pointer file is corrupt
- There are corrupt entries in the .csv file(s) that are preventing the agent from processing the logs.
- Test communication between the agent and the manager by running "sisipsconfig -test" from the command line. Also check for a green dot in the manager. If the test fails perform network troubleshooting and verify the correct certificate and manager address is being used by the agent.
- Set the common configuration in the manager that is assigned to that asset to delete log files after processing them. Configs > Common Parameters > [Common parameters name] > Logging Tab > Delete Log Files After Processing
- Remove and recreate the Pointer File:
a. On the manager, apply a null policy to the agent or allow policy overrideb. On the agent, stop the SCSP Servicesc. Once the services stop, move or rename the %ProgramFiles%\Symantec\Symantec Critical System Protection\Agent\IPS\hidslog1rtfilepointer filed. Restart SCSP services.e. Check for incoming events from the agent on the manager.
- Remove the pointer file and move .csv files
a. On the manager, apply a null policy to the agent or allow policy override
b. On the agent, stop the SCSP Services
c. Once the services stop, move or rename the %ProgramFiles%\Symantec\Symantec Critical System Protection\Agent\IPS\hidslog1rtfilepointer file
d. Navagate to the %ProgramFiles%\Symantec\Symantec Critical System Protection\Agent\scsplog folder
e. Create a new sub-directory called “old_logs”
f. Move the 2 oldest .csv files (one will be SISIDSEventsXX.csv and the other will be SISRTEventsXX.csv, where XX is the incremental log number) into the old_logs folder
g. Restart SCSP services.
h. Check for incoming events from the agent on the manager.
i. If there are no events, repeat this until you get through the corrupted .csv file.
Article URL http://www.symantec.com/docs/TECH190859