Old Endpoint Protection events appear in ICDx event archives
Article ID: 213715
Updated On:
Products
Issue/Introduction
Searching the ICDx archive shows some events from the Symantec Endpoint Protection Manager (SEPM) collector with a Collected Time and Event Time far apart from each other:
Environment
Release : 1.4
Component : SEPM collector
Cause
On initial configuration and startup, the SEPM collector will collect all available events from the SEPM database if configured to do so. Following initial data collection, only new events since the last collector checkpoint will be collected.
Resolution
If events with a significant gap between Event Time and Collected Time appear in the ICDx data archive, these events were returned by the SEPM database at the time logged in the Collected Time field.
It the SEPM database continues to return old events to the ICDx collector, please export the events in question to a json file via the "down arrow" icon and open a support case for the ICDx product.
Attachments
Feedback
