Symantec Endpoint Protection Manager does not parse client forwarded logs in a timely manner.
search cancel

Symantec Endpoint Protection Manager does not parse client forwarded logs in a timely manner.


Article ID: 177485


Updated On:


Endpoint Protection


With Symantec Endpoint Protection Manager MR4 installed, you notice that client status reports do not reflect the current status of your client computers, possibly as far back as a few days. You will also notice a buildup of .DAT files in the following locations:

..\Symantec Endpoint Protection Manager\data\inbox\agentinfo
..\Symantec Endpoint Protection Manager\data\inbox\log\client
..\Symantec Endpoint Protection Manager\data\inbox\log\behavior
..\Symantec Endpoint Protection Manager\data\inbox\log\system
..\Symantec Endpoint Protection Manager\data\inbox\log\security
..\Symantec Endpoint Protection Manager\data\inbox\log\packets
..\Symantec Endpoint Protection Manager\data\inbox\log\traffic
..\Symantec Endpoint Protection Manager\data\inbox\log\tex\avman

If you enable Symantec Endpoint Protection Manager extended logging (details in the Technical Information section of this document), you will see the following line repeated multiple times in the AgentLogCollector-0.log:

2009-01-12 15:29:02.008 FINE: SQLException: Using batch handler

This will only occur on Symantec Endpoint Protection Manager MR4 when using a Microsoft SQL database.


Symantec Endpoint Protection manager utilizes the BCP.exe SQL client tool for bulk processing and insertion of logs. This tool will move logs to the database that was described in the initial run of the Management Server Configuration Wizard. If the SQL instance isn't properly referenced (see Installation_Guide.pdf, page 70, which is included in the MR4 CD1 download), BCP.exe will attempt to access the database with an incorrect connection configuration . This will cause BCP.exe to wait for a timeout before attempting to connect again in a less efficient manner, dramatically affecting log parsing performance.


One potential solution is to re-run the Management Server Configuration Wizard on any/all affected Symantec Endpoint Protection Manager computers. Be sure to fill in the correct database server\instance name as indicated in the Installation_Guide.pdf. Once the Manager restarts, it may take some time for the large amount of unparsed logs to catch up and resume expected operations.

Installation_Guide.pdf, page 70 (included with Symantec Endpoint Protection distribution files)

Technical Information
To enable Symantec Endpoint Protection Manager extended logging:

  1. Stop the service named "Symantec Endpoint Protection Manager"
  2. Go to the following location: ..\Symantec Endpoint Protection Manager\tomcat\etc (depending upon installation settings chosen)
  3. Find file name ''. Open it in notepad.exe or another non-formatting text editor.
  4. Add the following line to the bottom: scm.log.loglevel=fine
  5. Save the changes and close the file
  6. Start the Symantec Endpoint Protection Manager service.

Logs will be generated in the folder: ..\Symantec Endpoint Protection Manager\tomcat\logs