Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.

Some logs stopped to be sent (or to be registered)

Created: 12 Jun 2013 | 17 comments
diabolicus23's picture

Very strange behaviour on the SEP Manager.

I had the sensation that some clients logs are missing on the SEPM (missing events in Monitor/Logs).

The suspect was confirmed by something very strange: if I try to see System - Client Activity of the last 24 hours I see nothing! I have a lot of system in activity in this period of time.
Other strange thing: I have some logs locally on the clients (such as Application Control) but these logs are not present on Monitor/Logs (but standard Tamper protection logs are present).

It seems that, at a certain moment, the logs on the SEPM simply stops to be recorded in the DB (at least some of them).
Everything worked fine till some days ago.

How could I check this and solve this urgent situation?
Suggestions?

 

Thanks!

Operating Systems:

Comments 17 CommentsJump to latest comment

.Brian's picture

You confirmed client is connected to SEPM?

What's the exact SEP/M version?

Go to Clients page >> Select the group the client is in >> Select Policies tab >> Click Client Log Settings

Make sure the boxes are checked for "Upload to management server"

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

diabolicus23's picture

Hi Brian.

SEP 12.1 RU2

I confirm that all the checkboxes are selected. This for every client group.
But none of the clients is visible in Client Activity (and some other logs in monitor section).

.Brian's picture

Can you drop the eicar on one of the systems?

Whats the heartbeat set to?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

diabolicus23's picture

Heartbeat 20 minutes.

Eicar is stopped and entry visible locally on the clients but no entry reported to the SEPM.
The same for other events.

diabolicus23's picture

Absolutely not.

I saw every kind of logs till some days ago (let me say, a couble of days).
Today, none.

diabolicus23's picture

No way.

I've restarted SEPM and SEPM WebService services.
Nothing changed.

If i check Client-Server Activity, I see that clients have sent their logs every 20 minutes (correct, this is heartbeat).
But Client Activity still reports no entries.

diabolicus23's picture

Important news: I have the message "Datastore error" in the LocalSite Event...

What's that?

Rafeeq's picture

Do  you see any .err files under inbox\log folders?

check these two articles

 

Clients cannot send data back to Symantec Endpoint Protection Manager

http://www.symantec.com/docs/TECH105348

http://www.symantec.com/business/support/index?page=content&id=TECH176176

diabolicus23's picture

Hi Rafeew,
yes I've some .err files and one of them has the exact timestamp of the Datastore error message I've got.

I've opened that file and I've seen that some row have a very strange format with some "wrong" charecters.
How could I avoit the client to send that kind of characters?

Rafeeq's picture

Take a backup.

Delete all those .err file and restart sepm, seems like the  processing was stuck because of those err files.

Kindly try this troubleshooting step: 

1. Browse to \Program Files\Symantec\Symantec Endpoint Protection Manager\data\outbox\agentinfo

2. Look for any .err files or tmp files & Dat files

3. If you find anything which is not processed by sepm then it might be the reason for the client data loss

4. Stop SEPM services from services.msc 

5. Delete all the files inside the location \Program Files\Symantec\Symantec Endpoint Protection Manager\data\inbox\agentinfo

6. Restart the SEPM services.

Check the SEPM now if still issue persist go for step 7

 

7. Run the Management server configuration wizard.

diabolicus23's picture

Rafeeq I think you're right, I'm probably falling under a known bug that will be solved in 12.1 RU3.

http://www.symantec.com/docs/TECH206828

Fix ID: 2767546

Symptom: The Symantec Endpoint Protection Manager produces files with the .err extension but does not clean them up. This causes the Symantec Endpoint Protection Manager to miss the parsing of events.
 
Solution: Fixed the code to bypass the error. Symantec Endpoint Protection Manager continues to process the log and record the error line.
diabolicus23's picture

Except for the fact that I don't know when will RU3 be released :-)

And, beside that, I'm not sure I want to upgrade this environment for this bug... I will probably try to override the problem by scheduling a delete of .err files or something like that.

.Brian's picture

RU3 came out last Thursday.

If you don't see it on FileConnect, call support to get a temp serial to download.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

diabolicus23's picture

Wow! 2 months between RU2 MP1 and RU3 smiley

Rafeeq's picture

still give a try in cleaning the .err file, if that fixes the issue. You can plan your upgrade accordingly