Take one of the events from the non-working events\debug folder for vse that didn't parse and drop it into your server that works - does it parse or go to debug folder?

You know, that's a great idea!  Unfortunately I don't have that capability as data from one cannot touch the other.  I could open one of the .txml files to see how big it is and retype it though to see what happens.  Let me go take a look.

I modified the IP address and the agent GUID, re-typed the .txml and placed it in the working networks event folder.  The eventparser.log updated with a successful parse, and ePO is showing the new eicar event correctly.

Thats one of the issues i had in mind:

https://kc.mcafee.com/corporate/index?page=content&id=KB85700

Not access protection but OAS, do you have a more recent version of the extension checked in from VSE Reports Extension 1.2.0.272.?

If the errors are the same on the event parser then i can suggest you to open an SR with the VSE team if the extension is newer

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

You also might want to try removing the reports extension only, not the main vse extension.  Then re-check it in, but make sure both extensions are the latest versions.

I'm currently using VSE Reports Extension 1.2.0.264 on both of my networks, I can grab a new version from my provider to see if I can upgrade, I DO have VSE Reports Extension 1.2.0.477 and tried removing the reports extension only, loading 477 and restarting my eventparser service but the events go to the debug folder still.

Unfortunately our service is a "from home use" kind of grant, and I don't have the ability to submit a ticket to anyone....it's a great support situation 🙂

I'm currently looking into the log level 8 approach and seeing what I can get PM'd to you.  With all the troubleshooting (thanks again to everyone for helping thus far!) I'm starting to think I could possibly have a corrupted epo_events DB or table, maybe I should start looking to troubleshoot my SQL environment.

Out of curiosity, you didn't by any chance rename the events database, did you?

Nope! I let the ePO installation setup that one and ensured the dbo user had correct permissions matching the service account I created for ePO.

edit: typo

Thank you for sharing privately the Event parser on log level 8, indeed we dont get much from what we already know:

DAL->ExecQuerey failied. h4=80004005
source/server.cpp(1064): Com error 0x80004005, source=(null), desc=(null), msg=unspecified error

I think the next step is to review what exactly is failing while inserting the event into the tables by the dll and that is done with an SQL Server Profiler, support has some templates designed to investigate this sort of issues but i think we need a support request.

If you have a grant you should be able to open an SR, would it be OK for you to share that with me privately and i can could check internally?

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?