Symantec Endpoint Protection Manager log processing is slow with error 1314 in the agentlogcollector logs.
Last Updated May 20, 2019
Log processing is running slower or not processing logs at all with a SEPM connected to a SQL database. There may be a build-up of .dat files in /data/inbox/agentinfo or /data/inbox/logs/*.
Following error can be observed in agentlogcollector logs:
2011-10-30 14:50:30.999 THREAD 38 FINE: Batch mode is on backup.
2011-10-30 14:50:31.124 THREAD 38 FINE: logTableName: AGENT_TRAFFIC_LOG_INSERT_2D3C10DA0A01BC4F00D6F628FD48F676 fileName:A7D74C790A01BC4F0061146BB00E13E1.tmp.dat
2011-10-30 14:50:31.124 THREAD 38 FINE: Database major version: 10
2011-10-30 14:50:31.155 THREAD 38 FINE: SQLException: Failed to load data: CreateProcessAsUser failed with error 1314: A required privilege is not held by the client.
The SEPM service is trying to spawn BCP processes under the account used for Windows authentication on the SQL server. However it fails to do so because the SEPM service account lacks the "Replace a process level token" privilege locally on the SEPM server. This will happen even if the SEPM is running under the same service account that is used to authenticate to the database.
Grant the "Replace a process level token" privilege to the account used to run the SEPM service in the local security policy on the SEPM.
- Open the Local Security Policy MMC (secpol.msc) - Expand "Local Policies - Users Right Assignment. - Add the service account to the "Replace a process level token" privilege.
The change may require a restart to take effect.
SEPM connected to a SQL server using Windows Authentication. Can happen on both SEP 11.0 and 12.1 SEPM service running under custom service account.
Imported Document ID: TECH176176
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe