Video Screencast Help
Search Video Help Close Back
to help
New in the Rewards Catalog: Vouchers for "Symantec Technical Specialist" and "Symantec Certified Specialist" exams.

SEP status collector warning

Updated: 21 May 2010 | 5 comments
Belén del Toro's picture
Belén del Toro
0 0 Votes
Login to vote

Hi,

I've installed a Symantec Endpoint Protection Status event collector in SSIM and configured it to work with Sybase. I configured the property "Start reading from" in 'Beginning' and everything works fine. But the moment I change that property, and use 'end' instead, the collector starts writing this error:

WARN    2009-11-11 17:06:14,000    Collectors.3293.wGroup.[workinggroup0].SensorThread    Thread-4721    Restarting the sensor...
WARN    2009-11-11 17:06:15,047    Collectors.3293.wGroup.[workinggroup0].SensorThread    Thread-4721    Exception in Sensor thread [SEP state Sybase CEGES] while reading device. Details:
java.lang.NumberFormatException: For input string: "SELECT MAX(TIME_STAMP) FROM SEM_AGENT"
    at java.lang.NumberFormatException.forInputString(NumberFormatException.java:48)
    at java.lang.Long.parseLong(Long.java:403)
    at java.lang.Long.parseLong(Long.java:461)
    at com.symantec.cas.ucf.sensors.DB.QueryParam.setParam(QueryParam.java:67)
    at com.symantec.cas.ucf.sensors.DB.Query.execute(Query.java:350)
    at com.symantec.cas.ucf.sensors.DB.DBSensor.readQuerySet(DBSensor.java:596)
    at com.symantec.cas.ucf.sensors.DB.DBSensor.readDevice(DBSensor.java:531)
    at com.symantec.cas.ucf.collector.SensorJob.pollSensor(SensorJob.java:186)
    at com.symantec.cas.ucf.collector.SensorJob.run(SensorJob.java:253)
    at java.lang.Thread.run(Thread.java:619)

I've try it several times changing between 'beginning' and 'end' and this error only appears with 'end'. Also, the collector configured in 'end' continues showing the error but does not send events to the SSIM.

Do you have any idea why?

Thank you.

discussion Filed Under:
, ,

Comments

BadBoo's picture
12
Nov
2009
0 Votes 0
Login to vote
BadBoo
Symantec Employee

LU will help you

Hi, Belen.
You can get the fix via LU by running runliveupdate.bat from the symcepstate collector folder. Please read the LiveUpdate-Collector.txt file for further instructions. Briefly: LU wil overwrite your config.xml with updated one which is supposed to work with MSSQL and you should replace it with the file appeared after LU in symcep\utils\SybaseMode folder.

By running LU you wil not only get your issue fixed, but will also pickup other fixes made to collector after its release.

Thanks.

Thanks,

Alexey.

Laurent_c's picture
12
Nov
2009
0 Votes 0
Login to vote
Laurent_c
Symantec Employee
Accredited

Hi Belen, Just one comment,

Hi Belen,

Just one comment, the SEP State collector should always start from the Begining, this is because the collector to run a snapshot needs to read the db entirely everytime.

If you select from the END, the snapshot will only take the newly installed clients since the last run and this is not really what the collector is for. What you want is to re-read the entire SEM Client tables so you get a list of all your clients with their inventory.

Laurent

BadBoo's picture
12
Nov
2009
0 Votes 0
Login to vote
BadBoo
Symantec Employee

No, Laurent. You are not

No, Laurent. You are not right here. State collectors are designed to grab all the information once a day (by default). And it should not matter what Initial Read Policy you configured. They also ignore saved last positions on start.

Thanks,

Alexey.

Belén del Toro's picture
12
Nov
2009
0 Votes 0
Login to vote
Belén del Toro

CPU performance

The problem with the collector is that the CPU performance grows to 100% when having 'beginning' configured.
The machine holds two collectors, SEP and SEP status for Sybase, and when one or both are in 'beginning' mode we have stated that CPU performance is altered for as long as the collectors are working (i.e. not only at the start when the event load is higher) and the costumer is very concerned about this issue.
With 'end' configuration the CPU stands between 45-85%. I was trying to test it widely when I got that error.

BadBoo's picture
12
Nov
2009
0 Votes 0
Login to vote
BadBoo
Symantec Employee

This is another problem

Hi, Belen.
This is another problem which can also be solved (tuned).
By default sensor is trying execute collector queries (read the data it is supposed to read) as fast as it can. This means CPU load will also be high.
But there is a way to tell the sensor to have some rest between executing quries which turns into less CPU load. By trying different values of properties below you can come to aceptable CPU load. The bigger values you provide - the less CPU load will be, but on the other hand it will take more time to read the data from database.

In the collector's config.xml file between

 <props>

and

  </props>

nodes you should put following lines:

  <prop key="pauseForNoEvents">2000</prop>

  <prop key="pauseBetweenRequests">2000</prop>

 

pauseForNoEvents

Define pause (in milliseconds) between requests if previous reading doesn’t return any events.

pauseBetweenRequests

Define pause (in milliseconds) between requests.

Thanks,

Alexey.

Technical Support

Symantec.com

Store

Community Stats

Total Content Items
Members
259,052