cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cluce
Level 8
Report Inappropriate Content
Message 1 of 20

Eventparser and SQL DB issues

Jump to solution

Hello all.  I have two networks I'm currently managing with the below McAfee products:

ePO 5.10
McAfee Agent 5.7 for Windows
VSE 8.8 Patch 15
(Non-McAfee) SQL Server 18.8

I have the same user permissions, domain admin and SQL accounts on both of my networks and the same Mixed Authentication mode established in my SQL DB's.

My trouble network, we'll call her Karen, is not currently reporting any Threat Events detected by VSE's On-Access scanner.  There are also 0 files in the _Events DB on SQL and I've confirmed drilling down into the dbo.EPOEvents table is completely blank.  I created an EICAR.txt file on a system on Karen and when I tried to access the file, the On-Access scanner for McAfee correctly caught and removed the file.  An event was generated and stored in the On-Access scanner logs and the event was successfully uploaded to ePO according to the McAfee Status Monitor on the system.  Now on Karen's ePO server, if I navigate to \DB\Events there is a folder called Debug and I see an XML file that show's the EICAR file found on network device, the system name, action taken, all the usual data that gets loaded into Threat Events on ePO. 

So so far I've confirmed the VSE version is working on the system, the McAfee agent is correctly trying to load the event to ePO, and ePO receives the threat entry for further processing.  I go to check the eventparser logs and I see where the VirusScan DLL files are successfully loaded after the syslog thread.  Next I see the <UpdateEvents>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xml and after that is this:

#09172    VseBLL             DAL->ExecQuery failed. hr=80004005
#09172    EVNTPRSR        source/server.cpp(1064): COM Error 0x0800004005, source=(null), desc=(null), msg=Unspecified error

After this, it attempts to requeue the xml for retry and repeats this process failing over and over.  Now "Bob", my other network, is working 100% correctly with the same setup.  EICAR.txt is deployed on a system, On-Access scan responds and sends an event to ePO and it's now present in my DB and now my ePO Dashboard correctly shows the information.

Further troubleshooting:
----------------------------------
Since it was the same software/accounts/permissions on both my networks, I went ahead and killed Karen's ePO, SQL DB, and started over from scratch.  All DB's loaded correctly, dbo account configured and after installing ePO the dbo account correctly syncs.  I load the McAfee agent/VSE into my master repository and push it out to a different box for testing.  Deploy the EICAR.txt and again, it correctly handles the file and loads an event to ePO.  It's still just sitting there in \DB\Events\Debug...

Luckily it's Friday, so it's time to relax with a beer and come back to this Monday.  Any and all thoughts or suggestions is greatly appreciated!

---------------------------------------------------------
EDIT: Update!

Installing CU 12 for my SQL 2019 instance and restarting my server apparently did the trick, my events are now successfully being parsed from \DB\Events and I now see logs in both the epo_events database and my threat events on ePO - I'll install the CU in my other network (which...is still working with no issue, but good practice).  Thanks everyone from the troubleshooting assistance, it was a weird one!

 

1 Solution

Accepted Solutions
cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 20

Re: Eventparser and SQL DB issues

Jump to solution

Check https://kc.mcafee.com/corporate/index?page=content&id=KB92701

The issue is resolved in SQL Server 2019 Cumulative Update 6 (CU6).

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

19 Replies
vivs
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 20

Re: Eventparser and SQL DB issues

Jump to solution

Hello @cluce 

Please refer the below KB article which matches the error posted by you in the post.

https://kb.mcafee.com/corporate/index?page=content&id=KB87582

https://kc.mcafee.com/corporate/index?page=content&id=KB53035

Try checking the eventparser.log in detail and see whether you are seeing anything or not.

Also, I would like to request you to try restarting the event parser service and see whether any events are getting parsed or not.

If there is no luck might be you need to open a service request with the McAfee Support team.

Thanks

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 20

Re: Eventparser and SQL DB issues

Jump to solution

What version of sql are you running?  If 2019, try lowering the compatibility level a little.  What versions of report extension do you have checked in for VSE? 

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

cluce
Level 8
Report Inappropriate Content
Message 4 of 20

Re: Eventparser and SQL DB issues

Jump to solution

Good morning!

Correct SQL 19, running at 150 compatibility level at this time.  The issue there is that my good network is working at 150 currently.

VSE Reports extension 1.2.0.463

VSE Version 8.8 Patch 15

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 20

Re: Eventparser and SQL DB issues

Jump to solution

Check https://kc.mcafee.com/corporate/index?page=content&id=KB92701

The issue is resolved in SQL Server 2019 Cumulative Update 6 (CU6).

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

cluce
Level 8
Report Inappropriate Content
Message 6 of 20

Re: Eventparser and SQL DB issues

Jump to solution

Hmm, interesting point about the compatibility level.  I accessed my sql error logs and saw the EXCEPTION_ACCESS_VIOLATION entry.  Although my other network is running the same version of SQL, and while at 150 (2019), I can try lowering this one just to see what happens.  I'll report back shortly.

cluce
Level 8
Report Inappropriate Content
Message 7 of 20

Re: Eventparser and SQL DB issues

Jump to solution

Good morning!

I have restarted the eventparser service but I tried again this morning.  Eventparser log comes up and I loaded another eicar.txt to test, the local On-Access scan correctly see's it, cleans it and loads the event.  Eventparser fails to process the .txml with error 0x80004005, source=(null), msg=unspecified error, failed to process file D:\McAfee\ePolicy_Orchestrator\DB\Events\blahblahblah.txml, XML file error count 1

I had been using that 2nd link you provided for troubleshooting steps, I'll look into that first link  you provided and follow up from there. Thanks!

aguevara
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 20

Re: Eventparser and SQL DB issues

Jump to solution

we have few articles with the mentioned errors, (great troubleshooting btw 🙂 )

Could you please share with the the event parser log on log level 8 on a private message? 

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

 

cluce
Level 8
Report Inappropriate Content
Message 9 of 20

Re: Eventparser and SQL DB issues

Jump to solution

Good morning!

Thank you, I've tried to track this specific issue down, as mentioned in my other replies it's a fun one as I have the exact same software versions on my other network and everything's working fine.  I'm not sure about log level 8 or how to access, could you point me to a link for reference and I'll see what I can do?  I do not have internet connection but I can jot down some notes to send here.

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 10 of 20

Re: Eventparser and SQL DB issues

Jump to solution

Did you test lowering the compatibility yet?  Also verify the build of your sql is at cu6 or higher:

https://support.microsoft.com/en-us/topic/kb4518398-sql-server-2019-build-versions-782ed548-1cd8-b5c...

 

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community