Endpoint Protection

Expand all | Collapse all

External logging does not update log files

  • 1.  External logging does not update log files

    Broadcom Employee
    Posted 02-14-2018 07:30 AM

    Hi,

    We have made external reporting setup to be able to send log files to splunk.

    However we notice that the log file is not updating. The update frequency is set to 30 seconds and we can see .tmp file being updated but not the log file.

    Any idea how we can change the settings so it is updating frequently.

     

    Kind regards



  • 2.  RE: External logging does not update log files

    Broadcom Employee
    Posted 02-14-2018 03:52 PM

    Hi Hans,

    Could you confirm the version of SEPM you're encountering this issue with?  I'm aware of a few cases recently where updating the version of the external logging solution in use helped to resolve similar behavior. 

    Does the log data in Splunk update at any point? 



  • 3.  RE: External logging does not update log files

    Broadcom Employee
    Posted 02-15-2018 02:47 AM
      |   view attached

    Our SEP version is 14.0.2415.0200

    Splunk gets it data from the .log file but as it is not updated the data remains the same

     

    as you can see in the screenshot the .tmp is getting it's data but it is not send to the .log file



  • 4.  RE: External logging does not update log files

    Broadcom Employee
    Posted 02-15-2018 07:37 AM

    Our SEP version is 14.0.2415.0200

    Splunk gets it data from the .log file but as it is not updated the data remains the same

    as you can see in the screenshot the .tmp is getting it's data but it is not send to the .log file



  • 5.  RE: External logging does not update log files

    Broadcom Employee
    Posted 02-15-2018 04:30 PM

    If you move those log files with the older date out of the folder do they get recreated and updated?

    We would need Finest level debug logging enabled on the SEPM and a Symdiag to review.

    Thanks,

    John Owens



  • 6.  RE: External logging does not update log files

    Broadcom Employee
    Posted 02-16-2018 04:48 AM

    We enabled Symdiag but we cannot see where to enable Finest level of logging
    Do you know where it is located?

     

    When we move all old files away from the folder the new files are being created but they do not update like they should be.

     

    E.g. You can see in the image that agt_risk.tmp gets new data and the change dat of the log is much newer than the agt_risk.log that is still from 8:42 and is not getting it's update

     

    Can you also explain what this options do?

    "Limit Dump File Records" 

    and Risk Log Limit = 10

    What does it do?



  • 7.  RE: External logging does not update log files

    Posted 9 days ago
    Did you ever find a solution to this?


  • 8.  RE: External logging does not update log files

    Posted 9 days ago

    This is a known bug fixed in SEP 14.3

    https://knowledge.broadcom.com/external/article/176235



    ------------------------------
    Syscom AS
    ------------------------------