Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 4096 Source: SemSrv

The Java Virtual Machine has exited with a code of -1 the service is being stopped.
In my case I noticed that the WinHTTP Web Proxy Auto-Discovery Service was not started. I started the service and then tried logging into the console and it worked fine. I then looked at client machines and saw that they were being managed (little green dot). I set the service to automatic to avoid this in the future.
In my case this happened because the transaction log of the SEP SQL database was full.
With our customer the problem was that the vmware server web access service was installed and it listens on port 8005. Same port that de semsrv needs to fire up the symantec endpoint protection manager.

With following command you can send the output of the processess listening on your ports to a text file netstat -ano >c:\listeningports.txt

Then you can open taskmanager and add the process ids to the view. You can then see wich process is hogging your 8005 port. In my case it was tomcat6.exe. If the service is not critical then stop it and set it to manual in case you need it again.
We have 2008 x64 and updated Citrix Licensing to 11.6. This knocked out SEPM, and we had to change ports. In C:\Program Files\Symantec Endpoint Protection Manager\tomcat\conf.xml. Change the port to 8505. Restart, and trying logging again.
This issue can happen if the SEPM web server in IIS is set to bind to a specific IP address instead of (All Unassigned) which is the default. To correct this go to the Properties dialog of the Default Web Site (or the site configured during the install) in the IIS management console and change the IP address binding back to (All Unassigned). If running on a 64bit machine IIS needs to be in 64bit mode (default, but can be changed by other programs if IIS is running other sites before the installation of the manager).

This happened after I demoted the W2K3 DC with the SEP 11.x Management Console installed (it was not a production DC). I had to reset the IIS IUSR account password as described in Symantec Doc ID 2008101518485148 (see the link below).
Serjio's comment worked for me too. However I was forced to use the (iisback.vbs) from the OEM disc.
In our case, the problem was caused by another java-web-application (Aastra OIP Webserver) also running as a service on the machine and listening (via java) on TCP-Port 8005 which is required by SemSvc.exe too. Disabling the OIPWebserver.exe allowed the SemSvc.exe to start.
In my case, this problem occurred when IIS was installed by using source files from mixed service pack levels. For example, you may experience this problem if some files for the IIS installation are from the original release version of Windows Server 2003 and some files are from Windows Server 2003 Service Pack 2 (SP2). To resolve this problem, follow these steps:
1. Remove IIS by using the Add/Remove Windows Components option in the Add or Remove Programs item in Control Panel.
2. Install IIS by using the Add/Remove Windows Components option in the Add or Remove Programs item.
3. When you are prompted to insert Windows Server 2003 media to install IIS, use the media for the current service pack level of the computer. For example, if the computer is running Windows Server 2003 SP2, use Windows Server 2003 SP2 media only.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.