Symantec Endpoint Protection (SEP) collector does not collect events.
Error message in the symcepstate.log or symcep.log:
Database query failed (error message: Invalid object name 'SEM_AGENT'.). Closing database connection. Query: SELECT LOWER(I.NAME), LOWER(M.NAME), MAX(SEM_AGENT.TIME_STAMP) AS TIME_STAMP, SUM(CASE WHEN INFECTED = 0 THEN 1 ELSE 0 END) AS NOT_INFECTED, SUM(CASE WHEN INFECTED = 1 THEN 1 ELSE 0 END) AS INFECTED_EVENT, SUM(CASE WHEN INFECTED NOT IN (0, 1) THEN 1 ELSE 0 END) AS UNKNOWN_HOST FROM SEM_AGENT with (NOLOCK) INNER JOIN IDENTITY_MAP I ON SEM_AGENT.GROUP_ID = I.ID INNER JOIN IDENTITY_MAP M ON SEM_AGENT.DOMAIN_ID = M.ID WHERE (SEM_AGENT.TIME_STAMP > ?) GROUP BY I.NAME, M.NAME ORDER BY TIME_STAMP
In the SSIM Client console you see events with the description when the event collector works, but state collector does not:
Description = Database query failed (error message: Invalid object name 'V_AGENT_PACKET_LOG'.). Closing database connection. Query: SELECT v.TIME_STAMP, v.EVENT_ID, LOWER(d.NAME), s.NAME, LOWER(r.NAME), LOWER(g.NAME), v.EVENT_TIME, v.HOST_NAME, v.LOCAL_HOST_IP, v.REMOTE_HOST_IP, v.REMOTE_HOST_NAME, v.LOCAL_PORT, v.REMOTE_PORT, v.TRAFFIC_DIRECTION, v.BLOCKED, v.APP_NAME, v.ALERT FROM V_AGENT_PACKET_LOG v with (NOLOCK) INNER JOIN IDENTITY_MAP d ON v.DOMAIN_ID = d.ID INNER JOIN IDENTITY_MAP s ON v.SITE_ID = s.ID INNER JOIN IDENTITY_MAP r ON v.SERVER_ID = r.ID INNER JOIN IDENTITY_MAP g ON v.GROUP_ID = g.ID WHERE (v.TIME_STAMP > ?) ORDER BY v.TIME_STAMP ASC
The user the Symantec Securit Information Manager (SSIM) collector is configured with to collect from the SEP Manager, which is setup to use Microsoft SQL (MSSQL) 2005, is not configured with the correct permissions, or is not configured with the correct Default Schema.
To resolve the permissions problem, ensure the user has at least Read Only permissions to read the database, and that Mixed Mode authentication is used.
For more information on the user account requirements, read the collectors Quick Reference Guide that is available from Fileconnect.
Microsoft changed the way schema's are recognized in Microsoft SQL 2005. In MS SQL 2005 the schema is no longer tied to the user login and it now a seperate container that can be set per user.
To make sure the user the collector is configured to login is setup with the correct Default Schema:
MS SQL 2005
- Login to Microsoft SQL Server Studio Manager.
- Navigate to the SEP database (sem5 by default) and expand the view directory.
- Identify what each object is prepended with. With a default SEP installation the objects are prepended with "dbo".
For example: dbo.V_AGENT_PACKET_LOG
- Navigate out of Databases and into Security > Login.
- Right click on the user used in the SSIM collector configuration and click Properties.
- On the users Login Properties screen, in the Select a page section click User Mapping.
- On the right, check the box for the database, then with the login field auto-populated, click the box in the Default Schema field.
- Type the correct Default Schema in the text box (what is prepended to the object name) and click Check Name.
- Click OK, and then on the Login Properties screen click OK again.
MS SQL 2000
In MS SQL 2000 the database schema is linked to the users login. Because the SEP Managers database is created during installation by the user sem5, the schema is sem5.
When MS SQL 2000 is used for the SEP Manager database, you must use the sem5 account when you configure the sensor for the SEP collectors.