"Event Storage Error" in SCSP Manager When Trying to Write TRAC data

book

Article ID: 157513

calendar_today

Updated On:

Products

Critical System Protection

Issue/Introduction

Multiple "Event Storage Error" events in the Symantec Critical System Protection (SCSP) manager.

 

Host Name <hostname>
Host IP Address <host IP address> 
Event Type Event Storage Error
Category Real Time - Management
Operation DBEVENTWRITE
Event Severity Warning
Event Priority 55
Event Date 12-Dec-2012 13:59:31 EST
Post Date 12-Dec-2012 13:59:31 EST
Description Data Error(s) In Event record - Invalid Event Type (TRAC
Event Code TRAC
Rule Name EVENT_DATA_CONTENT_ERROR
Disposition Failure
Operation DBEVENTWRITE
Message ID 56205
SQL Code 0
Event Data a1=<hostname>, a2=,host IP address>, a3=windows, a4=-240, a5=1, a6=2012-12-12 18:59:17.21, a7=<Agent GUID>, v1=TRAC, v2=160389, v3=2012-12-12 18:59:17.215 Z-0500, v4=T, v5=0, v6=ISR, v7=<>, v8=-1, v13=HttpsHandler::send, v22=Sending Multiple Log Messages,

Cause

This issue occurs when TRACE debug is enabled on an agent machine, and the machine is configured to send ALL events to the manager.

By design, TRACE logs are not written to the database.  These logs are to be used to troubleshoot Agent machine issues, and should not be sent to the manager.  Due to the sheer verbosity of the TRACE debug messages, the SCSP manager will not write these logs to the database in order to prevent database space/storage issues.

You will encounter the error above when TRACE logs are attempted to be written to the database.

Resolution

From the manager, adjust the detection and prevention configurations that are applied to the agent machine(s).  If you have selected "ANY" from the event type, the agents will attempt to send in any logs connected with TRACE level debugging.

You can also disable trace debugging on the agent by running "sisipsconfig -trace" from the command line.