Highlighted
Trusted Contributor.
Trusted Contributor.
1145 views

Symantec Endpoit Protection Smart Connector Invalid Column name ‘PUB_KEY”

Jump to solution

I am having problems with Symantec Endpoint Protection DB smart Connector. I have set up and configured the connector as the documentation suggests. The connector connects to the SEP DB and pulls a lot of data through to ESM and logger. We are running SEP 12.1.

Within the logs I can see a FATAL Exception:

com.microsoft.sqlserver.jdbc.SQLServerException: Invalid column name ‘PUB_KEY’.

I beleive this column is native to SEP 14 and not 12. I know we are missing virus alerts in arcsight also. 

 

Any help appreciated.

0 Likes
1 Solution

Accepted Solutions
Highlighted
Acclaimed Contributor.. Acclaimed Contributor..
Acclaimed Contributor..

I think its trying to use the newer 14.x SEP parser.

Try the following:

1) Create the directory <agent_home>/current/user/agent/fcp/symantecendpointprotection_db/alerts

2) In that directory create the file "12_x.sdkibdatabase.properties" and put the following line in that file "version.order=0".

3) In that directory create the file "14_x.sdkibdatabase.properties" and put the following line in that file "version.order=1".

Re-enable the "Alerts" in your configuration and restart the agent. See if the error persists.

Basically the above just changes the order in which i tries to evaluate the parsers. I would expect the default behavior is that the newest parser (sep 14.x) is evaluated first (order=0), then (sep 12.x) is evaluated second (order=1), then (sep 11.x) is evaluated third/last (order=2).

View solution in original post

4 Replies
Highlighted
Trusted Contributor.
Trusted Contributor.

update to the above problem:

The issue is related to the "Alerts" retreival only. When this is removed from the collector configuration there are no errors within the logs.

I will raise a call with Micro Focus this week.

0 Likes
Highlighted
Acclaimed Contributor.. Acclaimed Contributor..
Acclaimed Contributor..

I think its trying to use the newer 14.x SEP parser.

Try the following:

1) Create the directory <agent_home>/current/user/agent/fcp/symantecendpointprotection_db/alerts

2) In that directory create the file "12_x.sdkibdatabase.properties" and put the following line in that file "version.order=0".

3) In that directory create the file "14_x.sdkibdatabase.properties" and put the following line in that file "version.order=1".

Re-enable the "Alerts" in your configuration and restart the agent. See if the error persists.

Basically the above just changes the order in which i tries to evaluate the parsers. I would expect the default behavior is that the newest parser (sep 14.x) is evaluated first (order=0), then (sep 12.x) is evaluated second (order=1), then (sep 11.x) is evaluated third/last (order=2).

View solution in original post

Highlighted
Trusted Contributor.
Trusted Contributor.

Thank you very much Shaun! This issue had me puzzled for some time. Really apreciate your help!

0 Likes
Highlighted
Trusted Contributor.. Trusted Contributor..
Trusted Contributor..

This did not work for me, i am still receiving the PUB_Key error and device up device down messages, is there anything else you changed?

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.