Endpoint Protection Manager External Logging is failing to transmit logs when audit logs are selected
search cancel

Endpoint Protection Manager External Logging is failing to transmit logs when audit logs are selected

book

Article ID: 212586

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

When Symantec Endpoint Protection Manager (SEPM) External Logging is configured to send logs to a Syslog server, logs fail to submit when audit logs are selected.

 The following log entries can be seen in the scm-server-0.log file:

2021-02-04 17:43:25.328 THREAD 147 SEVERE:  in: com.sygate.scm.server.task.ExternalLoggingWorker
2021-02-04 17:43:25.328 THREAD 147 SEVERE:  in: com.sygate.scm.server.task.ExternalLoggingWorker
java.lang.StringIndexOutOfBoundsException: begin 0, end -66, length 680753 at
 java.base/java.lang.String.checkBoundsBeginEnd(String.java:3319) at
 java.base/java.lang.String.substring(String.java:1874) at
 com.sygate.scm.server.task.ExternalLoggingWorker.splitLongMessage(ExternalLoggingWorker.java:3312) at
 com.sygate.scm.server.task.ExternalLoggingWorker.getPolicyEventLogData(ExternalLoggingWorker.java:2379) at
 com.sygate.scm.server.task.ExternalLoggingWorker.handleLog(ExternalLoggingWorker.java:600) at
 com.sygate.scm.server.task.ExternalLoggingWorker.run(ExternalLoggingWorker.java:429) at
 java.base/java.util.TimerThread.mainLoop(Timer.java:556) at
 java.base/java.util.TimerThread.run(Timer.java:506) 

In ExternalLoggingTask-0.log

2021-02-04 17:43:25.125 THREAD 147 FINE: Fetching policy xml...

Environment

Release : 14.3 MP1 and 14.3 RU1

Component : External Logging

Cause

This can occur if a policy is too large such as a LiveUpdate policy having too many GUP listings or an Application and Device policy having too many excluded devices.

Resolution

This issue is fixed in Symantec Endpoint Protection (SEP) 14.3 RU2. For information on how to obtain the latest build of Symantec Endpoint Protection, see Download the latest version of Symantec software here.

 

As a workaround to enable transmission of logs to a syslog server, uncheck 'Audit Log' from the Log Filter tab in the SEPM External Logging configuration.