Forwarding logs to a Syslog server
Created: 02 Sep 2010 | 18 comments
Been having an issue sending logs to our Syslog server
I've designated one of our SEPMs to be the Master Logging server. It works fine for a few days, then suddenly stops sending the log files. If I restart the SEPM service on that SEPM it will then start sending logs for a few days and then stop again. I can continue to restart the service but it's more of a workaround than a fix.
Just curious to see if anyone has had experience with this.
Nothing has changed on the syslog server or the SEPM for that matter. We put a sniffer on the syslog server and could see traffic from SEPM, then it would stop.
Not really what changed as of yet.
discussion Filed Under:
Comments
I had seen a similar issue
I had seen a similar issue when the customer migrated from Embedded to SQL.
And we resolved the issue by changing the Log facility to 22
Prachand Kumar MCSE-2003 Symantec Technical Specialist (SCTS)
We've always been on
We've always been on SQL.
What's the difference in different numbers for the log facility? Any document(s) on this?
Endpoint Knowledge Base
Security Best Practices
Log Facility is the number
Log Facility is the number that you want to be used in the Syslog configuration file . Valid values range from 0 to 23.
The value depends on the syslog server that you are using.
.While troubleshooting a syslog we only a check a few things if it has been configured properly or if the DUMP files are been created. Once the dump is created means SEPM part of log forwarding is working fine.
The issue needs to troubleshooted on the syslog or on the network
Prachand Kumar MCSE-2003 Symantec Technical Specialist (SCTS)
Is there a location on the
Is there a location on the SEPM I can look at to see the DUMP files?
Endpoint Knowledge Base
Security Best Practices
Next time, you can you use
Next time, you can you use the URL mentioned in the article below to sweep the database and see if that generates the results.
http://www.symantec.com/connect/articles/how-does-sweep-function-work
Aniket
The location is Symantec
The location is Symantec endpoint protection manager/Data/DUMP
Prachand Kumar MCSE-2003 Symantec Technical Specialist (SCTS)
Been watching for the past
Been watching for the past hour and have not seen any DUMP files created. Is there any further troubleshooting I can do?
Endpoint Knowledge Base
Security Best Practices
May be run a wireshark packet
May be run a wireshark packet capture on your sepm, and see if there is any traffic betwenn the sepm, and syslog server..
Have you looked at the log facility number? Is it already 22?
-VKalani
The log facility number is at
The log facility number is at 6. This is per the spec we have from our syslog server.
Endpoint Knowledge Base
Security Best Practices
Do you have server activity
Do you have server activity logs from SEPM-Monitors-Logs-system, covering the perioed when it was working, and then it stopped?
-VKalani
Yes, I do have activity in
Yes, I do have activity in the logs on the SEPM. That has never stopped.
Endpoint Knowledge Base
Security Best Practices
which version of SEP is this
which version of SEP is this ?
I've never seen any feature for pushing all of th log event to syslog server.
/* Infrastructure Support Engineer */
The latest, RU6 MP1 Under
The latest, RU6 MP1
Under Admin ---> Servers ---> Configure external logging you can setup SEPM to forward to a syslog server or create DUMP files to then send to syslog if you wish.
Endpoint Knowledge Base
Security Best Practices
wow, thanks Brian. I
wow, thanks Brian. I appreciate your help.
Cheers,
AWT
/* Infrastructure Support Engineer */
This feature has been
This feature has been available since older versions of sepm too! I do not remember which version it started, or whether it was there right from the RTM release, but definitely it was there before ru6 mp1.....
Brian81, could you please post the server activity logs..?
-VKalani
Where are they located?
Where are they located?
Endpoint Knowledge Base
Security Best Practices
Log in to SEPM go to
Log in to SEPM go to Monitors--->logs--->System--->server activity ,select appropriate time range and click on view logs.Are you able to find any relevant entry ?If you want you can export this logs...
Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind
Here is the log for the last
Here is the log for the last 24 houra
Endpoint Knowledge Base
Security Best Practices
Would you like to reply?
Login or Register to post your comment.