Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

SSIM can not read the SWG log (via FTP and csv ansi)

Created: 10 Mar 2013 • Updated: 22 Mar 2013 | 6 comments
allenchung's picture
This issue has been solved. See solution.

We used SSIM Symantec Event Collector for Web Gateway to collect the SWG events.

SWG must be configed to send the log file (csv (ANSI)) via FTP.

We installed the SSIM Agent and Symantec Event Collector for Web Gateway on the FTP server (Windows server 2003 R2).

And we set the SSIM client to collector sensor to receive the SWG log on the FTP server (Windows server 2003 R2).

We found that the SSIM can not got the events if the csv files are ANSI,

 

SSIM event showed the Event Type ID is [ Error while Reading from Data Source ].

Below is the Description in the SSIM event.

[ Description = Cannot load log file headers. java.io.FileNotFoundException: d:\swglog\Spyware130311111501.csv ]

 

But we can get the SWG events if we transfer the ANSI to UTF-8 manually.

How can we get the csv log files ( UTF-8 not ANSI) from SWG?

 

SWG 5.1.0.39

SSIM 4.7.4

Operating Systems:

Comments 6 CommentsJump to latest comment

BenDC's picture

Symantec Web Gateway does not have an option to set the charater encoding of exported log data. You may want to open a case with the SSIM support team as their import processes is unable to properly read the ANSI file.

allenchung's picture

 

But we can receive the events on SSIM before we upgrade the SWG from version is 4.x to 5.x.

Thanks for your reply.

I have opened the case to SSIM support team few days ago.

They told me that I can receive the events if I transfor the ANSI to UTF-8.

 

allenchung's picture

Receive the solution form the Symantec Support (after case escalating)

1. Stop Agent
2. Go to Program Files\Common Files\Symantec Shared\SES\ (or on linux Symantec Shared\SES\ses.work)
3. Edit ses_work.properties
4. Find the row like this “System.AgentParams=-server -XX\:NewRatio\=3 -Xmx512m -Dnetworkaddress.cache.ttl\=300
5. Add -Dfile.encoding\=ANSI
6. It will look like: System.AgentParams=-server -XX\:NewRatio\=3 -Xmx512m -Dfile.encoding\=ANSI -Dnetworkaddress.cache.ttl\=300”
7. Save. Start Agent

allenchung's picture

Receive the case solution after the case escalation.

1. Stop Agent
2. Go to Program Files\Common Files\Symantec Shared\SES\ (or on linux Symantec Shared\SES\ses.work)
3. Edit ses_work.properties
4. Find the row like this “System.AgentParams=-server -XX\:NewRatio\=3 -Xmx512m -Dnetworkaddress.cache.ttl\=300
5. Add -Dfile.encoding\=ANSI
6. It will look like: System.AgentParams=-server -XX\:NewRatio\=3 -Xmx512m -Dfile.encoding\=ANSI -Dnetworkaddress.cache.ttl\=300”
7. Save. Start Agent

SOLUTION