This document explains how to run the ciffix utility to resolve corruption in the Enterprise Security Manager (ESM) database. You may see references in the ESM log files that suggest using the utility to resolve database corruption problems.
Often when there is database corruption the ESM manager service will not restart. The first indication of this may be that you get an error in the ESM console when trying to connect to the ESM manager indicating that the "cif server" is unavailable.
One very common cause of database corruption is running out of drive space. The ESM manager may be writing to a file when this happens. Other causes can be due to OS conditions that can cause write file write errors or disk write issues caused by bad harddisk sectors, controllers, etc.
To fix problems in the Control Information Files (CIF) database files (/esm/system/host_name/db/), run the ciffix utility as follows. Use the instructions that are for your operating system:
To run the ciffix utility on Windows:
1. Stop the Enterprise Security Manager service (ESM 9+ will be the Symantec Enterprise Security Manager service) via the Services window.
2. Open a command prompt. For example, click Start > Run, and type cmd in the Run line. Click OK. The command prompt appears.
3. In a command window, navigate to the \bin\<platform>
On ESM 6.5.3 SP2 and earlier:
CD C:\Program Files\symantec\esm\bin\[os_type]
On ESM 9.0 and later:
CD C:\Program Files\Symantec\Enterprise Security Manager\ESM\bin\[os_type]
4. There are two ways to run ciffix. The first is to determine individual database files that might need attention and then run ciffix against only those files. This can circumnavigate the problem mentioned in knowledgebase article: http://service1.symantec.com/support/intrusiondetectkb.nsf/docid/2003052205431853
The second method is to run ciffix wholesale against all database files.
WARNING: Only use the wholesale method if your ESM manager is at least at 6.5.3 SP2 or higher ....or you have read and understand the precautions mentioned in the knowledgebase article "ESM ciffix utility deletes suppression records"
To run against only specific files you can identify which ones by running the following command while in the directory mentioned in step 3 above:
ciffix -dan > output.txt
This command will create an output.txt file inside the current folder. This file will indicate which files may have issues. You are specifically looking for files that ciffix identifies as having "corrupt header". You can ignore any errors about Old data formats as these are not caused by corruption. Take note of the files that have corrupt headers to run ciffix against and then run the ciffix utility against each of those specific files. Ciffix will create backups in the db directory of the database file(s) it is working on prior to making any changes to that file(s).
ciffix -dy C:\Program Files\symantec\esm\system\[hostname]
To run ciffix wholesale to correct any issues in all database files you would type the following command while in the directory mentioned in step 3 above:
5. Once the repair is complete, restart the ESM service previously stopped in step 1.
To run the ciffix utility on UNIX platforms:
1. Stop the ESM service. For example, type:
2. Navigate to the \bin\[platform]
3. From here on the directions for Windows machines (Step 4 and following) can be followed with only the need to change the path targeting individual database files to reflect the UNIX path to those files.
For example: /esm/system/[hostname]
WARNING: Only use the wholesale approach (Method B in windows section above) to using ciffix on UNIX if your ESM manager is at least at 6.5.3 SP2 or higher ....or you have read and understand the precautions mentioned in the knowledgebase article "ESM ciffix utility deletes suppression records"
4. Once the repair is complete, restart the ESM service previously stopped in step 1.
Contact Symantec Technical Support if you have any questions or concerns when using the ciffix utility.
Syntax of the ciffix command:
ciffix [options] [full path to database file]
Where the options available to you are:
-a Run against all ESM CIF files. This checks all database files located in the <host_name>
-d Don't ask if CIF server has been shutdown.
-y Answer yes to all update questions.
-n Answer no to all update questions.
-c Compact records.
-v Verbose mode.
Follow any prompts displayed. The prompts you receive are determined by the options selected for running the ciffix utility. The ciffix utility may take quite awhile to fix the corruption depending on the corruption type and the size of the file that was corrupted. Ensure that you have plenty of harddrive space for ciffix to create a backup of any file that you are operating on. If you select to run ciffix wholesale against all database files you will need to have at least double the space free on the drive that your current ....esm\system\[hostname]