The Symantec Endpoint Protection Manager (SEPM) is not importing log files uploaded by SEP clients, and large numbers of .dat files are filling up in the data/inbox/log subfolders (behavior/client/security/system/traffic) under the directory where SEPM is installed.
Client log importing has previously worked on this SEPM server.
This issue can be caused by old bcp.exe processes hanging in the background on the SEPM server. Bcp.exe is part of the Microsoft SQL Client Tools and used by SEPM to import .dat log files uploaded from the client into the database.
SEPM will only initiate a fixed number of simultaneous bcp.exe processes, and in case a bcp.exe process has hung in the background for any reason this can prevent further logs from being uploaded.
Verify with the Windows Task Manager or the Microsoft Sysinternals Process Explorer tool if any bcp.exe child processes under SemSvc.exe (the SEPM service) are running in the background. Normally a bcp.exe process started by SEPM should finish within a number of seconds. If there are bcp.exe child processes of SEPM that have been running for several days and are using 0% CPU currently then attempt to terminate these processes (or otherwise reboot the SEPM server which should also resolve the problem).
After this monitor the data\inbox\log\ subfolders to see if files are again being processed.
One option for SEPM servers affected by this problem is to switch the log handling to a separate method that does not use bcp.exe. To force the use of only the builtin SEPM batch handler method, please follow the steps below:
Stop the "Symantec Endpoint Protection Manager" service.
Find the file conf.properties in the tomcat\etc subdirectory of where SEPM is installed, and open the file in notepad.
Add the line "scm.log.batchmode=1" (without the quotes) to the end of the file, then save and close notepad.
Start the "Symantec Endpoint Protection Manager" service.
(this log handling method may have slightly lower performance overall)
Knowledge-base article TECH95166 also covers a number of causes of a similar problem relating to incorrect installations of the SQL Client Tools.
Imported Document ID: TECH154417
Subscribing will provide email updates when this Article is updated. Login is required.