When sending logs from a Symantec Endpoint Protection Manager (SEPM) to an external logging solution, logs for most events are properly written to the Program FIles (x86)\Symantec\Symantec Endpoint Protection Manager\data\dump folder, but one or more log files are either not created or not updated. This usually affects the agt_system log file.
No error messages are displayed
Symantec Endpoint Protection 14.x
When the SEPM is writing data to syslog text files, it compares the USN of data on the SEPM to the USN for a given LogType (for example, "LT_AGT_SYSTEM_LOG") in the SemSiteState table. The value for the USN in SemSiteState table can on occasion be incremented far beyond the USN range for actual data entries on the SEPM, meaning that no data will be written to the syslog dumps for a given log type.
Please contact Broadcom Support for a tool (FixExternalLoggingUSN) to correct USN values in SemSiteState.