We are in the process of prepping our Symantec Endpoint Protection solution for deployment and have ran into some type of SQL database / SEPM configuration issue. Approximately 5-6 times per hour our SEPM server logs the following to the Event log:
EVENT LOG Application
EVENT TYPE Audit Failure
SOURCE MSSQLSERVER
CATEGORY Logon
EVENT ID 18456
COMPUTERNAME SEPM.DOMAIN.LOCAL
DATE / TIME 7/8/2009 6:02:30 PM
MESSAGE Login failed for user 'sepadmin'. [CLIENT: 192.168.1.26]
BINARY DATA 0000: 18 48 00 00 0E 00 00 00 0A 00 00 00 42 00 49 00
0010: 4C 00 2D 00 41 00 53 00 2D 00 30 00 31 00 00 00
0020: 07 00 00 00 6D 00 61 00 73 00 74 00 65 00 72 00
0030: 00 00
This message is actually being logged by the default SQL instance on the server. Our SEPM client database is on the same server as instance "SEP". We have the correct database settings configured in server.xml, reporting2.php, and our ODBC DSN is correct; however, we are still logging these errors regularly. We don't appear to have any significant loss in functionality but I have noticed that our graphs do not generate correctly in the console even through reporting does load the numerical details.
This is a somewhat confused pilot as I became responsible for it after an internal employee had issues. Originally it was deployed on the internal database; however, with a target client count of about 1000 PCs the system was very unresponsive as we began to add additional clients so we followed the internal database to SQL Server conversion process. Based on the symptoms of the problem, it looks like there is an ODBC or database connectivty command configured which is only referencing the local machine name rather than the correct <machine>\<SQL Instance> name. If anyone has any idea where the database connectivity is defined in SEPM a list would be much appreciated.
Thank you for your help,
Jeff