Endpoint Protection Manager logs not generated after upgrade
Last Updated July 16, 2019
You upgraded your Symantec Endpoint Protection Manager (SEPM) to version 14.2 or higher, and the external logging component stopped writing certain logs (such as agt_traffic.log or agt_system.log). Your external logging or security information and event management (SIEM) server is not receiving this log.
Symantec Endpoint Protection Manager 14.2 or higher
External logging or SIEM application (SolarWinds, Splunk, etc.)
An incorrect USN value in the SEPM database.
First, find and correct the incorrect USN value in the SemSiteState_1.xml file:
Locate the file C:\Users\[username]\AppData\Local\Temp\Temp[xxxx]\XmlSchema\SYSTEM_STATE\SemSiteState_1.xml on your SEPM server and make a copy of it. Replace [username] with the Windows username of the SEPM admin and Temp[xxxx] with the name of the temp directory inside your Temp directory. Note that there may be more than one Temp[xxxx] directory in the Temp directory -- locate the one with the XmlSchema subdirectory.
At the very beginning of the file, locate the field Id="[value]" in the SemSiteState tag and make a note of this value.
In the copied file (not the original), put in the XML tag <?xml version="1.0" encoding="UTF-8"?> at the very beginning.
Locate any ExtLogTrackEntity tags whose Usn value begins with five digits that are a multiple of 10000 (e.g. 2000076285181). There will be two ExtLogTrackEntity tags with the LogType field corresponding to the missing logs (e.g. LogType="LT_AGT_RISK_LOG" for a missing agt_risk.log file).
Remove the four zeros and the digits to the left of them. In the example above, you would change 2000076285181 to 76285181.
Then update the database with the corrected data:
Back up your SEPM database. For an embedded database, use the Database Back Up and Restore Wizard, under the Symantec Endpoint Protection Manager folder in your Start menu.
Stop the following services:
Symantec Endpoint Protection Launcher Service (this also stops the Symantec Endpoint Protection Manager Service and Symantec Endpoint Protection Manager API Service)
Symantec Endpoint Protection Manager Webserver Service
Run the following SQL query. Replace [XML data] with the entire contents of the XML file from Step 5 above, replace [SemSiteState ID] with the value from Step 2, and if your SEPM database has a name other than the default, replace sem5 with that name. Include the single quotation marks where indicated. To query an embedded database, see How to query the SEPM embedded database.
use sem5; update SYSTEM_STATE set content='[XML data]' where TYPE='SemSiteState' and ID='[SemSiteState ID]';
Finally, restart the services you stopped earlier (including the Symantec Endpoint Protection Manager Service and Symantec Endpoint Protection Manager API Service) and confirm that the missing logs are now present in C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\dump as .tmp files. (This may not happen right away depending on which log was missing.)
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe