Symantec Endpoint Protection (SEP) client does not upload risk event to Symantec Endpoint Protection Manager (SEPM) sometimes. The detection can be found in Risk Log and MMDDYYYY.log file under Logs\AV directory. However, there is no corresponding log entry in AVMan.log.
Max message buffer provided is not large enough to hold some of the log with length more than 1024 bytes.
Product code considers the maximum buffer size of 1024 to read a single line. But once the single line has length more than 1024 bytes for any reason such as the log has URL information for the detection, the log will not be written to AVman.log. As a result, the log will be skipped and not uploaded to SEPM.
This issue is fixed in Symantec Endpoint Protection 14.2 RU1 by adding max message buffer size. For information on how to obtain the latest build of Symantec Endpoint Protection, see Download the latest version of Symantec Endpoint Protection.