When Symantec Endpoint Protection Manager (SEPM) External Logging is configured to send logs to a Syslog server, logs fail to submit when audit logs are selected.
The following log entries can be seen in the scm-server-0.log file:
2021-02-04 17:43:25.328 THREAD 147 SEVERE: in: com.sygate.scm.server.task.ExternalLoggingWorker 2021-02-04 17:43:25.328 THREAD 147 SEVERE: in: com.sygate.scm.server.task.ExternalLoggingWorker java.lang.StringIndexOutOfBoundsException: begin 0, end -66, length 680753 at java.base/java.lang.String.checkBoundsBeginEnd(String.java:3319) at java.base/java.lang.String.substring(String.java:1874) at com.sygate.scm.server.task.ExternalLoggingWorker.splitLongMessage(ExternalLoggingWorker.java:3312) at com.sygate.scm.server.task.ExternalLoggingWorker.getPolicyEventLogData(ExternalLoggingWorker.java:2379) at com.sygate.scm.server.task.ExternalLoggingWorker.handleLog(ExternalLoggingWorker.java:600) at com.sygate.scm.server.task.ExternalLoggingWorker.run(ExternalLoggingWorker.java:429) at java.base/java.util.TimerThread.mainLoop(Timer.java:556) at java.base/java.util.TimerThread.run(Timer.java:506)
In ExternalLoggingTask-0.log
2021-02-04 17:43:25.125 THREAD 147 FINE: Fetching policy xml...
Release : 14.3 MP1 and 14.3 RU1
Component : External Logging
This can occur if a policy is too large such as a LiveUpdate policy having too many GUP listings or an Application and Device policy having too many excluded devices.
This issue is fixed in Symantec Endpoint Protection (SEP) 14.3 RU2. For information on how to obtain the latest build of Symantec Endpoint Protection, see Download the latest version of Symantec software here.
As a workaround to enable transmission of logs to a syslog server, uncheck 'Audit Log' from the Log Filter tab in the SEPM External Logging configuration.