Symantec Endpoint Protection (SEP) collector stops processing events, cannot connect to database

book

Article ID: 177971

calendar_today

Updated On:

Products

Security Information Manager

Issue/Introduction

Symantec Endpoint Protection (SEP) collector stops processing events, cannot connect to database.

Symptoms
You have a SEP collector that should connect to a SQL database. The Events collector stops collecting events periodically.


The logs show that the SEP collector cannot connect to the database:

WARN Collectors.3165.wGroup.[workinggroup0].Sensor.[Sensor_0] Thread-21 Problem with query: Warning: Fatal error 602 occurred at Sep 23 2009 11:54PM. Note the error and time, and contact your system administrator. (query => [AgentBehaviourLogQuery] SELECT TOP 500 v.TIME_STAMP, v.LOG_IDX, v.EVENT_ID, v.EVENT_TIME, LOWER(d.NAME) DOMAIN_ID, s.NAME SITE_ID, LOWER(r.NAME) SERVER_ID, LOWER(g.NAME) GROUP_ID, v.SEVERITY SEVERITY_AB, v.HOST_NAME, sc.IP_ADDR1 IPADDRESS, v.ACTION ACTION_AB, v.TEST_MODE, v.DESCRIPTION, v.VAPI_NAME, v.RULE_ID, v.RULE_NAME, v.CALLER_PROCESS_NAME CALLER_PROCESS_NAME_AB, v.PARAMETER, v.ALERT ALERT_AB, USER_NAME, v.DOMAIN_NAME FROM SEM_COMPUTER sc LEFT OUTER JOIN V_AGENT_BEHAVIOR_LOG v with (NOLOCK) INNER JOIN IDENTITY_MAP d ON v.DOMAIN_ID = d.ID INNER JOIN IDENTITY_MAP s ON v.SITE_ID = s.ID INNER JOIN IDENTITY_MAP r ON v.SERVER_ID = r.ID INNER JOIN IDENTITY_MAP g ON v.GROUP_ID = g.ID ON sc.COMPUTER_NAME = v.HOST_NAME WHERE ((sc.DELETED=0) AND ((v.TIME_STAMP > ? and (v.TIME_STAMP < CAST(dateadd(second, -10, getdate()) as TIMESTAMP))) OR (v.TIME_STAMP = ? and v.LOG_IDX >?))) ORDER BY v.TIME_STAMP, v.LOG_IDX ASC).
Database query failed. The connection is closed.

 

Resolution

This issue has been resolved by an update to the SEP collector.

Use RunLiveUpdate.bat from the collector machine to ensure you have the most recent update.
If SEP events are collected from an on-box collector, use the SSIM web configuration page to update the collector that is on the SSIM.