SEPM is not processing agent system logs unless services are restarted
Last Updated August 04, 2014
On the Symantec Endpoint Protection Manager (SEPM), reports show that the clients are updating successfully, but the client system logs cannot be retrieved in Monitors > Logs, or via database (V_AGENT_SYSTEM_LOG).
Investigation shows that there is a lot of DAT files in %SEPM%\data\inbox\log\system, and new logs keep coming in.
After restarting the SEPM service, most of these DAT files get processed, then over time, the issue returns, requiring another restart.
Following lines appears repeatedly in scm-server-x.log:
Also logging stops in AgentLogCollector-x.log (which is the task in charge of System log processing) when DAT processing seems to hang.
Application Learning may be resource consuming for the SEPM (See TECH134367). Depending on the size of environment, it may trigger thousands of DAT files to be sent to the SEPM, which may not be able to deal with such massive incoming data in a timely manner.
Application Learning log processing task runs before AgentLogCollector task, therefore if the first one is busy, second one won't execute.
- Disable Application Learning. Re-enable it when it is strictly needed (e.g. virus outbreak, Exclusions to set up).
- Delete all files available in %SEPM%\data\inbox\log\learnedapp subfolders, then restart SEPM services.
SEPM 12.1 with Application Learning enabled (In the past or still in place).
Imported Document ID: TECH212911
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe