KB Article | Forcepoint Support

Notes & Warnings

Important The KB Articles provided may require you to login to https://support.forcepoint.com to view. If you do not have an account, please Create a Customer Account. If you have an account but cannot log in, Contact Support for assistance. 

Resolution

This page is designed to be a one-stop shop with featured content articles that provide relevant information regarding log server and log database questions.
 
Note The featured content listed may apply to multiple products and versions. Verify the products and versions stated in the article to ensure you are reviewing the correct featured content for your configuration. 

The information in this article is separate between the following categories:

 Note All information unless under Email, Data or NGFW applies to Web. 

General

Log Database sizing guidance
This document gives information on growth rates and sizing along with variables to consider.
 
Factors that affect reporting database size
There are a few methods available to reduce the amount of logging at the cost of log precision with reports for Web. This is particularly useful if SQL routinely runs low on space.
 
Increase logging speed by switching Log Server to BCP mode
Using BCP instead of ODBC both increases logging speed, and can also help retain unwritten data if there is a logging issue.

Log Server And Log Database On VMWare
Forcepoint does not suggest running Log Server and Log Database on VMWare.

Quantity of licenses for MS SQL server for the Forcepoint logging and reporting database
The discussion will be with Microsoft, however some questions to help guide the process with Microsoft are listed in this article.
 
SQL database wslogdb70_amt_1
This specific database is where the information is housed for the Threats Dashboard for Web.
 
Using Log Server with Microsoft SQL Server Clustering
This article refers by version to the articles specific to Forcepoint reporting database clustering.
 
SQL server is using all available memory
SQL will use all available memory by default. This article includes a link to Microsoft's site for how to limit the memory.
 
Exporting SQL Server logs and job history
This article details how to retrieve server logs and job history in SQL for troubleshooting.
 
Querying the SQL database for hits on a particular day
While Investigative Reports is useful for the actual data for a day, this article discusses how to see the database hits for troubleshooting and sizing information.
 
Debugging the Log Server service
Log Server may be able to use the -debug option on start to create a debug if there is a logging issue.
 

Configuration

How to update the ODBC and the Log Server connections​
During troubleshooting or after changes have been applied, ODBC and Log Server must still be able to connect, even if using BCP. This article explains how to verify these connections.
 
Changing the SQL Server password used by the Log Server
If the password for the SQL Server admin changes, the password in Forcepoint Security Manager also needs to be changed.
 
Changing the SQL Server account used to connect to the Log Database
If the account for SQL needs to change, this article gives instructions on what permissions are needed, and how to reconfigure the Log Server to use this new connection.
 
Limited SQL account requirements for Forcepoint
This article identifies what permissions are needed for environments where a limited SQL account needs to be used instead of an administrator account.
 
Improve Log Server Performance for ODBC
If using ODBC instead of BCP, increasing connections is the best method for improving performance, but at the cost of system resources. Using BCP is better in this regard.
 
Increase logging speed by switching Log Server to BCP mode
Using BCP instead of ODBC both increases logging speed, and can also help retain more unwritten data if there is a logging issue.
 
Log Server with multiple Filtering Services
It is possible to have 10 filtering services to a single policy server, and multiple policy servers to a single Log Database.
 
Configuring distributed logging
This documentation explains how to configure distributed logging where you have a single Central Log Server to log data from remote Log Servers.
 

Moving the Database

v7.7.x-v8.x Moving the Web Security Log Database to a different SQL Server
This article links by version to the necessary steps to move the Web log database to a different SQL server.
 
Moving the Web Security Log Database from one drive or partition to another
This article gives steps for moving the Web log database to a different partition or hard drive on the same SQL server.
 

Files not writing to SQL

Reports have no data or no recent data and Log Server is not logging data
This is the primary failing to log article for Web.
 
Recreate the SQL Agent jobs if no data is being logged
This goes over how to recreate the jobs responsible for writing to the SQL database.
 
Log data files not being processed in multiple log server environment
This issue is specific to a multiple log server environment in 8.3.

SQL ETL jobs failing due to missing incoming buffer tables
This error can cause the database to not write and is generally found when checking the error logs on the SQL server.

Hybrid Web Cloud Endpoint logging not occurring for off-site users
This article discusses what to do if off-premise users who are using Web Cloud Hybrid are not showing in the logs.

Manually push hybrid log files to the log server
This is how to manually retrieve the Hybrid logs if they are not automatically logging.
 
Log files not writing due to Hosted IncomingBuffer size
The Hosted IncomingBuffer is the Hybrid logging buffer for Email and Web in SQL.
 
Move Log Server cache files
This article explains how to deal with a large amount of backed up .tmp files in Cache or Cache/BCP to ensure they can be written later.
 

Partitions

Creating New Partitions
Manually Creating A New Partition
This article gives instructions for creating a new partition in SQL.
 
SQL failed to create a new database partition  
This article gives troubleshooting steps when SQL will not create a new partition. It also links to other articles related to database creation.
 
Unable to create a new partition after upgrading to version 8.3
This article is for a specific problem for creating partitions after having upgraded from 8.0-8.2 to 8.3 or higher.
 
SQL fails creating new database due to limit on the number of active partitions
There is a hard limit as to how many partitions can be used at a time. Active partitions are ones that Log Server can actively poll for reporting information.
 
Partition database creation fails with insufficient permissions error
There are many permissions considerations for partition creation. This article goes over the most common.
 
Deleting Partitions
Deleting Log Database partitions  
How to delete Log Database partitions. Includes information for Web, Email and Data.
 
Unable to delete or disable partitions from the Forcepoint Security Manager
This article is a reference when a case is being made for this problem. Make sure you let the tech know you were on this page.
 
Database partitions are marked red in Forcepoint Security Manager
Red Databases are partitions that are expired, but haven't been deleted yet for a few different reasons.
 
SQL Maintenance job failing due to collation mismatch
This particular error happens after having migrated a database to another SQL instance.
 
Archiving and Reattaching Partitions
Archiving Log Database partitions or bringing archived partitions back online
This article is a launch point for instructions by version.
 
Partition not displayed in Forcepoint Security Manager after being reattached to SQL database
This article gives steps on what to do if reattaching a partition doesn't work.
 

Upgrade and Installation Errors

Manually creating a new catalog database
If Log Server fails to create a new Catalog Database during installation, these steps will help manually create a new database.

Log Server installation fails with error "Failed to generate the ODBC connection for the database"
If the Log Server fails to install but an ODBC connection is created, deleting that ODBC connection is necessary to complete reinstallation. 

"Service was not found" error for Log Server and doesn't install successfully
This article includes steps for reinstallation from Command Line rather than from the Forcepoint Installer to resolve.

Forcepoint Install Fails With “Cannot Connect To SQL Server” Error
This error is typically due to the TCP/IP options for SQL not being enabled for port 1433. 

The "Use the SQL Server database installed on another machine" option grayed out
This issue happens due to a configuration and is generally when upgrading or reinstalling. Applies to Web, Data and Email. 

"Cannot communicate with Policy Broker" error when installing or upgrading Log Server
There are multiple causes for this error with various steps for troubleshooting listed in this article.
 

General Errors

SQL ETL jobs failing due to missing incoming buffer tables
This error is most commonly found when there is no logging happening and/or no partitions being created. 

ETL fails with SQL error: "There is insufficient memory in the resource pool internal"
This error is specific to missing hotfixes for SQL Server 2008 Express or Standard edition.

SQL Jobs Fail with Error 8198
This error is specific to an authentication error with the account used in SQL. This affects Web, Email and Data.

“Failed to Register LogServer to LogDB” error displayed when debugging the Log Server
This error requires Technical Support assistance to adjust the SQL database itself. Applies to versions 8.3-8.5. 

Log Server test connection failures
This error is generally due to a configuration issue in the logserver.ini file. 

Unable to recreate SQL agent in SQL Server Express edition
This error comes up when using SQL Server Express and finding logging has stopped, due to a database size limitation for Express editions.

"Cannot Connect to the Log Database" error message
This error is specific to a connection failure with the SQL server where the log database resides.

"24 hours since Sync Service..." alert messages in Health Alert Summary window
This error is specific to using Web Hybrid and an alert for "24 hours since Sync Service downloaded" or "sent logs"
 

Email Specific

Configuration
Email Log Server Configuration Utility
This applies to version 8.2. For 8.3+, follow the 8.5 technical pdf at Email Log Server Configuration Utility

Custom SQL query to return failed message status codes
This query must be gained from Technical Support as some configuration has to be done. 

Moving the Database
Migrate Email SQL databases to a new SQL Server
This article gives steps for moving the Email log database to a different SQL server.

Files not writing to SQL
Fix ETL jobs that are not running in SQL express
This article contains queries to correct the database Broker and Trustworthy attributes for the Email Security Database. 

Log files not writing due to Hosted IncomingBuffer size
The Hosted IncomingBuffer is the Hybrid logging buffer for Email and Web in SQL.

Partitions
Deleting Log Database partitions  
How to delete Log Database partitions. Includes information for Web, Email and Data.

Cannot create new partition and receiving partition sizing error
This error is due to the model database initial size being larger than the ESG database initial size.

ESG - Restored Partition databases are missing from Forcepoint Security Manager
This issue is specific to when databases had been archived, but later reattached

New esglogdb76 partition can not be created
This article gives the necessary SQL queries to correct the partition creation.

Upgrade and Installation Errors
The "Use the SQL Server database installed on another machine" option grayed out
This issue happens due to a configuration and is generally when upgrading or reinstalling. Applies to Web, Data and Email. 

Email logging issue after upgrade to 8.5
This error is due to rollover being set to a time-based setting. 

Upgrade fails when SQL is running on Windows 2016
This error is specific to 8.3 due to the version of OS in use. 

Email Security Manager v8.5 installation fails with error 142
This specific error is fixed with an attached file on the article.

SQL Database and PEM problems following upgrade to v8.3
This article contains multiple issues and resolutions for problems that happen after upgrading to 8.3.

"Current versions found" error when trying to reinstall Email Log server
This error happens when registry values from the previous Log Server installation still exist on the server.

General Errors
Error: Log server xx.xxx.xxx.xxx connection pool has reached its maximum size
There is a hard coded limit of connections between Log Server and an Appliance. 

 

Data Specific

Moving the Database
Moving the Data Security database to another MS SQL Server
This article gives steps for moving the Data log database to a different SQL server.

Partitions
Deleting Log Database partitions  
How to delete Log Database partitions. Includes information for Web, Email and Data.

Upgrade and Installation Errors
The "Use the SQL Server database installed on another machine" option grayed out
This issue happens due to a configuration and is generally when upgrading or reinstalling. Applies to Web, Data and Email. 

General Errors
“Failed to write to local path from SQL server” error displayed when running backup
This error may happen when running a backup for Data from the installer.

Forcepoint DLP Manager Won't Start After Applying Security Updates To SQL Server
This error is indicated by "Forcepoint DLP could not be launched" or the manager not loading the Data module. Due to an issue with NTLMv1 and requires Technical Support assistance.

Encrypted SQL connections are disrupting endpoint status reports in Data
This issue was more common in older versions but may still happen. Contact Technical Support for assistance.

“Archiving of partition with id XXXXX failed” error displayed during automatic archive partition process
This error happens during auto archive for maintenance. 

NGFW Specific

General
Monitoring views operate through primary log server
Since SMC version 6.2.1, a backup Log Server becomes available if the primary goes down. 

Log fields that are forwarded in CEF format
Other formats are also supported, but this article is specifically designed for CEF information.

Why is there a 100000 log entry limit for SMC Log Analysis?
It is possible to increase the limit, however an upper limit is suggested in the article.

Configuration
Modify SMC Log Export fields
Individual log columns cannot be  selected for export in the SMC Logs view, but a workaround exists. 

Defining log fields included in logs forwarded by SMC
Further customization for SMC Logging when forwarded to an external host.

How to forward SMC log and audit data to external syslog or SIEM servers
Integrating with an external syslog host instructions. 

How to add alternative log archives
This article is for when wanting to configure a separate location to store some of the NGFW logs.

Changing the log storage directory
This article is for when needing to change the Log Storage directory after installation.

How to set up an SMC third-party Logging Profile
A logging profile export attachment is included with the article that has been updated for 6.4 and higher.

Performance
Forcepoint NGFW Log Server performance
This article gives examples of why performance may degrade with the Log Server as well as tested spec information.

Modifying the memory allocation and resources, post installation, for SMC servers
This article gives instructions for adjusting the memory allocation for the SMC servers. 

Mitigation of logs queries starvation occurring during intensive logs search activities in SMC
Since SMC version 6.4.5, fine tuning the queries and time limits is available.

Backups and Applying Backups
How to create Log Server backups from the command line
This article explains how to perform backups from command line. 

How to enable the Log Server backup to include log data
By default, Log Server backup does not include log data.

Log server fails and displays a status of unknown when you install Security Management Center and restore only a management server backup
The issue is caused by a missing certificate for Log server.

Engine monitoring no longer works after you restore a Management Server or Log Server backup
This issue is caused by incorrect certificate serial numbers when applying an older backup.

Change the location of the Security Management Center backup directories for the Management and Log servers
This article explains how to create a backup directory for Management and Log Servers.

Troubleshooting
Troubleshooting NGFW to Log Server Connectivity
This connectivity error can be caused by multiple issues. 


 

Article Feedback



Thank you for the feedback and comments.