The collector log does not log anything even in debug
search cancel

The collector log does not log anything even in debug


Article ID: 177285


Updated On:


Security Information Manager


The collector log does not log anything even in debug.

The Juniper NSM collector.log shows the Initialization event, but nothing else is populated to the log. This is still true with the collector logging set to debug.


The collector version is not the same as the Symantec Integration Package (SIP) that is installed on the Symantec Security Information Manager (SSIM). The correct Agent configuration is not pulled down.


Incompatible versions between the collector and SIP
Make sure this is not a collector and SIP version problem. When the collector and SIP versions are not the same, the ucf.log is written to with the following text:
    Error retrieving the specified configuration.
    ERROR 2008-04-14 03:59:49,163  Config not updated (softwareFeatureId: 32520101)
    ERROR 2008-04-14 03:59:49,304  Config XML contain error message:

To resolve this problem, install the correct version of collector or SIP so that they are the same version

Event Agent has old credentials
When this situation occurs and the ucf.log is emtpy, the Event Agent may have old credentials. To ensure it has the correct credentials, do a Full bootstrap of the Symantec Event Agent to the Symantec Security Information Manager (SSIM). To do this, there is an additional step to the bootstrap most commonly performed.

To do a full bootstrap of the agent:
    1. On the collector computer, stop the Symantec Event Agent service.
    2. Navigate to and delete the ses_store.dat and ses_machine.dat files.
      By default, these files are located C:\Program Files\Common Files\Symantec Shared\SES
    3. On the SSIM appliance, in the SSIM Client Console, click System.
    4. On the Administration tab, navigate to and click Organizational Units.
    5. Delete the collector computer.
    6. Start the Symantec Event Agent service.

Once the Symantec Event Agent has successfully bootstrapped and pulled down the credentials, the ses_store.dat and ses_machine.dat files are recreated. Once the SSIM Client Console has been closed and opened again, the computer is listed in Organizational Units again.

Technical Information
The way SSIM is designed, the directory does not delete old agent configurations. It does not happen often, but sometimes it appears an old configuration can be distributed to the Agent. By removing the agent from the Organizational Units, the next bootstrap will be a full bootstrap.

The common bootstrap performed does not remove the agent from the directory, it simply downloads the same credentials the existing instance has in the Directory.

The full bootstrap as outlined in this document actually recreates the agent in the Directory.