Endpoint Protection

Hello team, I am facing a serious problem and i need your help to cater this.

When I check application and device control logs on SEPM for the past three months , it only shows logs for 3 days.  I can see application and device control logs on the affected endpoints and there have been lots of detection for the group becuase System lockdown and Device Blocking is configured for that group.

But why isn't SEPM showing this information ? what troubleshooting can I perform to fix this ? .

Waiting for your kind responses.

Regards,

Any one would like to comment on this ?

How many days have you got the SEPM to delete machines that haven't checked in for? 

Also how large (how many logs do you have your current database settings set for? Admin > Servers > database > edit database > Log settings if these are low the SEPM may have deleted the logs. depending on how many manchines on the network and how many logs they are sending to the SEPM adjust accordingly.

Another thread that has a similar query with a bit more information on also.

https://www-secure.symantec.com/connect/forums/sepm-application-and-device-control-logs

As per your other thread that states you have the SEPM set to retain 60 days worth of logs

https://www-secure.symantec.com/connect/forums/sepm-application-and-device-control-logs

I'd suggest you review ths below article, and see if it applies:

http://www.symantec.com/docs/TECH143325

I don't know if there's anyway of verifying if you've hit the row limit, but I imagine it should be possible if you have a SQL DB, and compare itagainst the SEPM DB Schema article (http://www.symantec.com/docs/DOC6039), but I've not tried it myself.

30 days is the purging period for offline clients 

thanks SMLcst but the articale you provided is for logging events for usb. I have applied systenm lockdown and device blocking for this particular group which contains 400 clients.

So what can i do to fix this issue ?

What happens when the defined limit of Control Log limit enteries are exceeded then set values ? 

With regards to the limits, it's down to whichever is hit first.  Anything past either limit is purged.

Therefore, eventhough you may not have hit the 60 day limit on the logs, it's possible that your SEPM has hit the "max number of entries" instead and removed anything over that limit.

#EDIT#

Assuming this is the issue, then all you have to do is increase the number of entires the SEPM retains under DB Properties -> Log Settings.  Just be aware that this will increase the size of your SEPM's DB over time, so make sure you have sufficient space.

I think that since it hit the " max number of enteries " thats why when i run the query for the log of last 3 months it gives me logs of only 5 recent days i .e  30,1,2,3,4,5 respectively. What do you say SMLcst about this assumption ?

Do you know the name of table in SQL which I can check for matching this row limit if its exceeded or not ?

Yes, that's what I'm getting at.  I reckon you may have hit the limit for the number of log entries the SEPM will retain for these types of logs.

As per my first post, unfortunately I don't know which table contains these particular log entires, so I linked the SEPM DB Schema article for you to have a look through.  As such, I don't know which table you should be running  a row count against.

Hello SMLacst , thanks for your reply.

Well the thing is when I export the log in excel sheet for last three months ( application control )  it shows me around 15,000 entries in total  which are in the date of today and yesterday . It is  an audit requirement that i have two submit logs for last three month. Now where can I verify that logs were actually purged when they reached this limit set in edit database properties. 

Secondly is there any way I can cross check in SQL database table specifically for Application and Device Control table to verify whether rows are exceeded like you said in your earlier post.

Regards,

I imagine there should be, but as I mentioned above (twice), I'm afraid I don't know where they are in the DB.  Please have a look at the schema info to find out where it is.

Something else you can do to help you track down where the data is stored, is to get your SQL admins to run a trace on the SEPM DB when you perform your log export, and analyse the SQL query for where it's looking for the App control logs.

ok thanks SMLacst just confirm me one more thing that I have a SEPM 12.1 with SQL database is it possible that I can installa another SEPM 12.1.4 MP1 and configure it in load balancing mode or is necessary for SEPM's to be on same version to work in this mode ?

Regards,

SEPMs must be on the same version

Ok thanks let me ask my DBA to check logs to confirm which table was purged most probably the control logs and I will get back to you. Regards,

I think the tables are AGENT_BEHAVIOR_LOG_1 and AGENT_BEHAVIOR_LOG_2 (some tables in the SEP database are doubled). To read the control log, you could perform the following query:

SELECT * FROM AGENT_BEHAVIOR_LOG_1
UNION
SELECT * FROM AGENT_BEHAVIOR_LOG_2

See Ian_C's posting here. Unfortunately there is a typo ("_BEHAVIOUR") in his query.

thanks for your reply guys