System Health Alert: "Device is encountering a large number of events. Some events will not be logged in the database."

book

Article ID: 171942

calendar_today

Updated On:

Products

Endpoint Detection and Response Advanced Threat Protection Platform

Issue/Introduction

Within the User Interface of , SYmantec Endpoint Detection and Response the system health state is "Needs Attention". When the mouse hovers over the system health state, SEDR displays the Alert: "Device is encountering a large number of events. Some events will not be logged in the database."

"Device is encountering a large number of events. Some events will not be logged in the database."

Cause

This behavior may have multiple causes, including overly broad configuration of the Endpoint Data Recorder, and a large number of Insight lookups from widespread software updates amongst the SEP clients.

Environment

In Symantec Endpoint Protection Manager (SEPM), one or more client groups have an External Communication policy that points to the IP address of ATP UI as a Private Insight server.

 

Resolution

The SEDR 4.5 software includes improvements to increase the number of events that can be processed. If you see an error that incoming events have been dropped, please update to SEDR 4.5 to take advantage of these changes.

Further troubleshooting can be performed in the following ways:

  1. Reduce the number of events from the Data Recorder feature
  2. Prior to a widespread and complex software upgrade in the environment, temporarily remove ATP as a Private Insight server.
  3. Upgrade to the latest version of Symantec Endpoint Detection and Response (SEDR) to obtain the latest fixes and performance improvements.
  4. If symptoms persist, contact Symantec Technical Support for further assistance.

 

To reduce the number of events from the Data Recorder feature

  1. In ATP Manager, click Settings > Global and scroll down to Endpoint Detection and Response, SEP Policies, and Endpoint Data Recorder.
  2. Click the actions menu (three vertical dots) to the far right of the Symantec Endpoint Protection Manager connection that you want to update.
  3. Click Recorder Configuration
  4. Uncheck "Process Launch", then click Save.
  5. For each SEPM where Data Recorder feature is enabled, add Data Recorder Exclusions for programs authorized for the environment which have a high number of ATP Detections for PowerShell activities

 

To add a Data Recorder exclusion

  1. Within ATP UI, navigate to Settings> Global
  2. Scroll down to Endpoint Detection and Response, SEP Policies, and Endpoint Data Recorder
  3. For each SEPM connection where Data Recorder is enabled, click the vertical ellipses(...)
  4. Click Recorder Exclusions
  5. If you expect the content of the authorized file to remain static, click Add hash and description to open a dialog box for entering a SHA256 hash and description
  6. After adding an entry, click Save Hash
  7. If you expect the content of the authorized file to change over time as result of vendor updates, click Add the full path and filename to open a dialog box for entering the full path and filename of the file to be excluded.
  8. After adding an entry, click Save Path
  9. After all entries are added, click Save