Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

SEPM\data\inbox\log many ".err" files

  • 1.  SEPM\data\inbox\log many ".err" files

    Posted Feb 29, 2012 06:55 AM

    Hello,

    I just noticed that in the SEPM\data\inbox\log subfolders (like Client and System) there are many ".err" files. Does this indicate any problems and how I can verify this?

    As far as I know, SEPM\data\inbox\log is where the clients upload data into different subfolders there.



  • 2.  RE: SEPM\data\inbox\log many ".err" files

    Posted Feb 29, 2012 07:06 AM

    stop the SEPM service, delete them, and then restart the SEPM service and monitor the folder to see if it builds up again.



  • 3.  RE: SEPM\data\inbox\log many ".err" files
    Best Answer

    Posted Feb 29, 2012 07:17 AM

    If the above steps not get rid of the files them stop the SEPM service, delete the files and than start the SEPM service.

    There shouldn't really be any files in here. This is the folder that all the client information gets sent to. It sounds as though there is a problem processing the files. Normally you may see a handful of .DAT files that the SEPM will clean out on its own as it processes them.



  • 4.  RE: SEPM\data\inbox\log many ".err" files

    Posted Feb 29, 2012 07:17 AM

     

    Using the "SymDelTmps" utility

     

    http://www.symantec.com/business/support/index?page=content&id=TECH105050



  • 5.  RE: SEPM\data\inbox\log many ".err" files

    Posted Feb 29, 2012 07:28 AM

    TMP files are generated on SEPM servers when it processes the logs received from the client machines and the .err files are generated when the SEPM server has issues in processing or forwarding the logs to the database server.

     

    You can find the “dat.err” files in the following locations,

     

    D:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\inbox\agentinfo
    D:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\inbox\content
    D:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\inbox\log
    D:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\inbox\log\behavior
    D:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\inbox\log\client
    D:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\inbox\log\packets
    D:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\inbox\log\security
    D:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\inbox\log\system
    D:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\inbox\log\tex\AVMan
    D:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\inbox\log\traffic

    The .ERR file can be delted as such, else you can have a .BAT script and have is shcheduled to do the JOB say once in a month or 2.



  • 6.  RE: SEPM\data\inbox\log many ".err" files

    Posted Feb 29, 2012 08:05 AM

    I deleted all ".err" files. Most of them were into the System and Clients subfolders. And actually most of them were very old (few months and even 2-3 years old). For now all looks fine, not new err files generated.

    However, there is one more thing, the customer is using one AV software for the servers and SEP for the client machines. So the SEPM is installed on a server with another AV, not SEP. I checked in the scanning exclusions that SEPM installation folder is not excluded from scan. Should I do it or you do not recommend the whole SEPM folder to be excluded? 



  • 7.  RE: SEPM\data\inbox\log many ".err" files

    Posted Feb 29, 2012 08:21 AM

    If I would have been your place, I would have excluded SEPM folder



  • 8.  RE: SEPM\data\inbox\log many ".err" files

    Broadcom Employee
    Posted Feb 29, 2012 08:35 AM

    the .err files are the one that are not processed by the SEPM. It could be overload on the SEPM and DB.



  • 9.  RE: SEPM\data\inbox\log many ".err" files

    Posted Feb 29, 2012 08:49 AM

    thanks to all



  • 10.  RE: SEPM\data\inbox\log many ".err" files

    Posted Feb 29, 2012 09:02 AM

    The err files are created when the SEPM has issues procesing the logs from client to database. These have to be manually deleted. We were running eTrust on the SEPM servers and after installing SEP on SEPMs and upgrading th RU7, the issue was controlled to a great extent.



  • 11.  RE: SEPM\data\inbox\log many ".err" files

    Posted Feb 29, 2012 02:05 PM

    The .err files could be located in different subfolder, based on the directory infrastructure, I think some events might store in the .err and never got processed, if we simply deleted those files, we might end up with losing some valuable event information, I am afraid, especially some of the things that the auditors look for,

    Why not rename .err back to .dat file to get them re-processed?



  • 12.  RE: SEPM\data\inbox\log many ".err" files

    Posted Feb 29, 2012 05:55 PM

    If you have not yet done so I would highly recommend changing from PUSH to PULL mode and raise the heartbeat. This will help alleviate a lot of the load that is put upon this server.



  • 13.  RE: SEPM\data\inbox\log many ".err" files

    Posted Mar 01, 2012 06:07 AM

    These are the client information that the server sends to DB. I do not think there is a way to say what exact information we may lose if we delete some files.

    But changing the .err file to .dat did actually work. The file was processed and removed automatically.