SEPM is not processing agent system logs unless services are restarted

book

Article ID: 158720

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

On the Symantec Endpoint Protection Manager (SEPM), reports show that the clients are updating successfully, but the client system logs cannot be retrieved in
Monitors > Logs, or via database (V_AGENT_SYSTEM_LOG).

Investigation shows that there is a lot of DAT files in %SEPM%\data\inbox\log\system, and new logs keep coming in.

After restarting the SEPM service, most of these DAT files get processed, then over time, the issue returns, requiring another restart.

 

Following lines appears repeatedly in scm-server-x.log:

     2013-11-27 15:10:51.883 THREAD 31 FINE: CREATOR_SHA2 :
     2013-11-27 15:10:51.883 THREAD 31 FINE: DOWNLOAD_URL :
     2013-11-27 15:10:51.883 THREAD 31 FINE: DETECTION

Also logging stops in AgentLogCollector-x.log (which is the task in charge of System log processing) when DAT processing seems to hang.

 

Cause

Application Learning may be resource consuming for the SEPM (See TECH134367).
Depending on the size of environment, it may trigger thousands of DAT files to be sent to the SEPM, which may not be able to deal with such massive incoming data in a timely manner.

Application Learning log processing task runs before AgentLogCollector task, therefore if the first one is busy, second one won't execute.

 

Resolution

- Disable Application Learning. Re-enable it when it is strictly needed (e.g. virus outbreak, Exclusions to set up).

- Delete all files available in %SEPM%\data\inbox\log\learnedapp subfolders, then restart SEPM services.

 


Applies To

SEPM 12.1 with Application Learning enabled (In the past or still in place).