Endpoint Protection

Very strange behaviour on the SEP Manager.

I had the sensation that some clients logs are missing on the SEPM (missing events in Monitor/Logs).

The suspect was confirmed by something very strange: if I try to see System - Client Activity of the last 24 hours I see nothing! I have a lot of system in activity in this period of time.
Other strange thing: I have some logs locally on the clients (such as Application Control) but these logs are not present on Monitor/Logs (but standard Tamper protection logs are present).

It seems that, at a certain moment, the logs on the SEPM simply stops to be recorded in the DB (at least some of them).
Everything worked fine till some days ago.

How could I check this and solve this urgent situation?
Suggestions?

Thanks!

You confirmed client is connected to SEPM?

What's the exact SEP/M version?

Go to Clients page >> Select the group the client is in >> Select Policies tab >> Click Client Log Settings

Make sure the boxes are checked for "Upload to management server"

Hi Brian.

SEP 12.1 RU2

I confirm that all the checkboxes are selected. This for every client group.
But none of the clients is visible in Client Activity (and some other logs in monitor section).

any filter you have set ?

Can you drop the eicar on one of the systems?

Whats the heartbeat set to?

Absolutely not.

I saw every kind of logs till some days ago (let me say, a couble of days).
Today, none.

Heartbeat 20 minutes.

Eicar is stopped and entry visible locally on the clients but no entry reported to the SEPM.
The same for other events.

No way.

I've restarted SEPM and SEPM WebService services.
Nothing changed.

If i check Client-Server Activity, I see that clients have sent their logs every 20 minutes (correct, this is heartbeat).
But Client Activity still reports no entries.

Important news: I have the message "Datastore error" in the LocalSite Event...

What's that?

Do  you see any .err files under inbox\log folders?

check these two articles

Clients cannot send data back to Symantec Endpoint Protection Manager

http://www.symantec.com/docs/TECH105348

http://www.symantec.com/business/support/index?page=content&id=TECH176176

Hi Rafeew,
yes I've some .err files and one of them has the exact timestamp of the Datastore error message I've got.

I've opened that file and I've seen that some row have a very strange format with some "wrong" charecters.
How could I avoit the client to send that kind of characters?

Take a backup.

Delete all those .err file and restart sepm, seems like the  processing was stuck because of those err files.

1. Browse to \Program Files\Symantec\Symantec Endpoint Protection Manager\data\outbox\agentinfo

2. Look for any .err files or tmp files & Dat files

3. If you find anything which is not processed by sepm then it might be the reason for the client data loss

4. Stop SEPM services from services.msc 

5. Delete all the files inside the location \Program Files\Symantec\Symantec Endpoint Protection Manager\data\inbox\agentinfo

6. Restart the SEPM services.

Check the SEPM now if still issue persist go for step 7

7. Run the Management server configuration wizard.

Rafeeq I think you're right, I'm probably falling under a known bug that will be solved in 12.1 RU3.

http://www.symantec.com/docs/TECH206828

Fix ID: 2767546

After upgrade you should be fine :) 

Except for the fact that I don't know when will RU3 be released :-)

And, beside that, I'm not sure I want to upgrade this environment for this bug... I will probably try to override the problem by scheduling a delete of .err files or something like that.

RU3 came out last Thursday.

If you don't see it on FileConnect, call support to get a temp serial to download.

Wow! 2 months between RU2 MP1 and RU3 

still give a try in cleaning the .err file, if that fixes the issue. You can plan your upgrade accordingly