We have SEM Agents on all our Win10 laptops and when the user is on the network (either in the office or connected via VPN), the SEM server collects all the system, application & security events for each device. When the user disconnects from the network/VPN, and works offline, those logs continue to collect events, but they never find their way back to SEM. This leaves huge gaps between event collections for each device.
I opened a support ticket and they said when it works, SEM will store the events in this folder: C:\Windows\SysWOW64\ContegoSPOP\spop\q\CommDataQueue. I watched the engineer disconnect from his VPN and his folder filled up within minutes of queued up events. When I disconnect from my VPN, nothing happens. Nothing is stored in the folder, and nothing gets written back to SEM once I'm reconnected. This is concerning because somebody could attempt to hack a company laptop and we'd never see a single event from it.
What are some ways I can troubleshoot this? I looked in the spoplog.txt log file and all I see is the agent disconnecting from the SEM server and then attempting to reconnect. Nothing in the logs about writing the events to a folder named CommDataQueue. I'll post my log file in the replies. Thanks in advance!