ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Old Endpoint Protection events appear in ICDx event archives

book

Article ID: 213715

calendar_today

Updated On:

Products

ICDx

Issue/Introduction

Searching the ICDx archive shows some events from the Symantec Endpoint Protection Manager (SEPM) collector with a Collected Time and Event Time far apart from each other:

 

Cause

On initial configuration and startup, the SEPM collector will collect all available events from the SEPM database if configured to do so. Following initial data collection, only new events since the last collector checkpoint will be collected.

Environment

Release : 1.4

Component : SEPM collector

Resolution

If events with a significant gap between Event Time and Collected Time appear in the ICDx data archive, these events were returned by the SEPM database at the time logged in the Collected Time field.

It the SEPM database continues to return old events to the ICDx collector, please export the events in question to a json file via the "down arrow" icon and open a support case for the ICDx product.

Attachments