How to avoid frequent log table switching on the Symantec Endpoint Protection Manager

book

Article ID: 156175

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

How to avoid frequent log table switching with the Symantec Endpoint Protection Manager (SEPM)?

In the scm-server-0.log / scm-server-1.log log files of the SEPM, frequent lines such as these can be observed:

2012-04-02 15:34:45.063 THREAD 27 WARNING: Log table switched to: SERVER_CLIENT_LOG_1, old table estimated row count: 4055, to add row count in new table: 2, last switch time: 2012-04-02 15:16:08
2012-04-02 15:35:10.441 THREAD 39 WARNING: Log table switched to: AGENT_TRAFFIC_LOG_1, old table estimated row count: 20751, to add row count in new table: 46, last switch time: 2012-04-02 15:22:08
2012-04-02 15:49:23.570 THREAD 39 WARNING: Log table switched to: AGENT_TRAFFIC_LOG_2, old table estimated row count: 1181, to add row count in new table: 18, last switch time: 2012-04-02 15:35:05
2012-04-02 16:10:24.138 THREAD 39 WARNING: Log table switched to: AGENT_TRAFFIC_LOG_1, old table estimated row count: 5081, to add row count in new table: 100, last switch time: 2012-04-02 15:49:23
 

The lines may mention SEP client log tables (AGENT_TRAFFIC_LOG_1/2, AGENT_PACKET_LOG_1/2, AGENT_BEHAVIOR_LOG_1/2, AGENT_SECURITY_LOG_1/2, AGENT_SYSTEM_LOG_1/2), SEPM client log tables (SERVER_CLIENT_LOG_1/2) or possibly Enforcer log tables (ENFORCER_CLIENT_LOG_1/2, ENFORCER_TRAFFIC_LOG_1/2).

 

Resolution

For log storage tables in the database the SEPM alternates between an *_1 and an *_2 table. When the _1 table is full the SEPM will truncate the _2 table and continue writing to it until it too is full, then once again truncate and switch to using the _1 table as "active". For further information please see article TECH90856.

To avoid using resources on the SEPM server as well as the database server for uploading and storing large amounts of log entries that will soon be overwritten, there are three options:

  • Generate less logs on the client side.
    For example, if the log tables that are frequently switching are the AGENT_TRAFFIC or AGENT_PACKET logs, edit firewall policies to disable logging for any rules where this is no longer needed.
     
  • Avoid uploading certain types of client logs to the SEPM.
    For each Client Group in the SEPM, the "Client Log Settings" dialog under "Location-independent Policies and Settings" contains options for which log types should be forwarded to the manager. Uncheck "Upload to management server" as needed from the System, Security, Traffic, Packet and Control Log categories.
     
  • Configure the SEPM to store a larger amount of log entries.
    If the SEPM and database can handle the load associated with processing and uploading the logs, and the database server has the disk space to support storing a larger volume of logs, then the maximum number of entries and number of days logs are kept can be configured on the manager. On the Admin - Servers tab in the manager select the database server in the list and pick the "Edit Database Properties" option, then "Log Settings". The maximum number of entries and log entry expiration days for each type of log can be configured on this dialog.