Endpoint Protection

We've encountered an interesting issue on two or our three SEPM servers where logs being forwarded to them from some of our older SAV 10.x SAV servers aren't being processed.  I have verified that the all the SEPM servers have the option to upload SAV logs enabled and these same servers running MR4-MP1 all worked fine.  Here is what I have found.

SAV Server 1 forwarding logs to SEPM A:  logs aren't processed
SAV Server 1 forwarding logs to SEPM C:  logs are processed successfully

SAV Server 2 forwarding logs to SEPM B:  logs aren't processed
SAV Server 2 forwarding logs to SEPM C:  logs are processed successfully

Since the SAV servers can forward logs successfully to SEPM C the issues does not appear to be on the SAV server side.  The only difference between the SEPM servers is SEPM A and SEPM B are running the embedded database and have the SEP client installed on them (AV only no firewall).  SEPM C (the one that appears to work correctly) is using a MS SQL database and the SEP client is not installed on it.

I'm completely out of ideas on this and we've had a ticket open with Symantec for over a month now with no resolution.   Has anyone else seen this issue?  Like I said, these servers were upgraded from MR4-MP1 to MR4-MP2 and when they ran MR4-MP1 everything worked fine.

Thanks,
jsnyder

I am sure you will have to contact tech support.


Vinjaram,
Symantec 

Have they been removed or its same for two sepms??

Could you please tell the memories detial of all the 4 server having the manager..

EG :  SEPM A : 

RAM :  4GB OR whatever
Manager installed on what drive ? IF C how much free space it there on that drive.
SQL OR embedded database & IF SQL the what is the version of SQL EG 2005, 2000

Same for all other SEPM B,C

Hi J., SEPM doesn't automatically accept Logs from legacy SAV Servers. You have to enable it.
Log in to your SEPM, on the "Home" Page under "Security Status", click "Preferences" (takes a while to come up), the tab "Logs and Reports".
At the bottom you can find the Option" Upload SAV Version 10.x log Files.
Enable that and everything should work.

Hey All,

Thanks for all the quick responses and questions.  Here are the answers in no particular order.

1)  These SEPM servers were upgrades from SEP 11 MR4-MP1 to MR4-MP2.   When they were MR4-MP1 they worked fine, but once we upgraded to MR4-MP2 the issue showed up on two out of three servers.

2) Symantec Endpoint Protection is installed in the default location on the C:\ drive (which is the system drive of these machines).  We have over 50GB of free space on these servers.  So running out of disk space definitely isn't causing the issue.

3)  On all three SEPM servers we have enabled the option to Upload SAV Version 10.x log Files.  This was enabled when they were MR4-MP1 and is still enabled now.

4)  As for memory and the database used on each server:
SEPM A:  2GB RAM, running Symantec embedded database (SAV 10.x logs don't upload)
SEPM B:  2GB RAM, running Symantec embedded database (SAV 10.x logs don't upload)
SEPM C: 4 GB RAM, running MS SQL 2000 (SAV 10.x logs upload fine)

5)  SEP clients can check into these servers just fine, the issue is only with the SAV 10.x logs being uploaded.

One thing I want to reitereate is these servers ran fine as MR4-MP1.  The issue only arose after the upgrade to MP2.  One thing I am trying to determine is if the logs are not making it to the SEPM at all, or if the SEPM is just not able to process them once they do arrive.  I checked the reporting agent LogSender logs on my SAV 10 server and they don't indicate any issue with connecting to the SEPMs.

Is there a method to check if the SAV logs are making it to the SEPM server?

Keep the questions coming!

Jeff

All,

I have been doing some digging around and have a little more info on this issue.  A Symantec tech mentioned that the legacy (10.x) logs are stored in the folder C:\Program Files\Symantec\Symantec Endpoint Protection Manager\data\inbox\log\tex\legacy.  If I look on my SEPM server that is working this folder is empty, which I assume is because it is processing the logs.

If I look at one of the SEPM servers not processing SAV 10.x logs it is full of files with the extension temp.dat.err.  For example:  0A0C71FE0AD101F30003E9261466D689.tmp.dat.err.  If I open these files it contains my SAV data.  So it appears the 10.x legacy logs are getting to the problematic SEPM servers but then just sitting there or erroring off.

Anyone from Symantec have some suggestions on this?

Thanks,
jsnyder

After doing some research with a Symantec Support we found that there is an internal write-up regarding an issue with MR4-MP2 where SEPM servers no longer process SAV Risk Logs.  This appears to be what I am experiencing.  Unfortunately the only work around is to build a legacy SAV Reporting Server until MR5 comes out.