SEM Agents aren't collecting events when devices are offline

We have SEM Agents on all our Win10 laptops and when the user is on the network (either in the office or connected via VPN), the SEM server collects all the system, application & security events for each device.  When the user disconnects from the network/VPN, and works offline, those logs continue to collect events, but they never find their way back to SEM.  This leaves huge gaps between event collections for each device.  

I opened a support ticket and they said when it works, SEM will store the events in this folder: C:\Windows\SysWOW64\ContegoSPOP\spop\q\CommDataQueue.   I watched the engineer disconnect from his VPN and his folder filled up within minutes of queued up events.  When I disconnect from my VPN, nothing happens.  Nothing is stored in the folder, and nothing gets written back to SEM once I'm reconnected. This is concerning because somebody could attempt to hack a company laptop and we'd never see a single event from it.  

What are some ways I can troubleshoot this?  I looked in the spoplog.txt log file and all I see is the agent disconnecting from the SEM server and then attempting to reconnect.  Nothing in the logs about writing the events to a folder named CommDataQueue.  I'll post my log file in the replies.  Thanks in advance! 

Parents
  • I currently have the SEM port running through a reverse Proxy so no VPN required.  The issues might be that IP address from VPN does not match the profile on in SEM.  If it connect via DNS name the name resolution is not matching.  Try seeing the config it by IP address or DNS name.   This could be causing the issue as the local DNS build the arp table for computer when it disconnect the arp table still keeps the mapping.

Reply
  • I currently have the SEM port running through a reverse Proxy so no VPN required.  The issues might be that IP address from VPN does not match the profile on in SEM.  If it connect via DNS name the name resolution is not matching.  Try seeing the config it by IP address or DNS name.   This could be causing the issue as the local DNS build the arp table for computer when it disconnect the arp table still keeps the mapping.

Children
No Data