cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Level 7
Report Inappropriate Content
Message 1 of 12

Failed to purge the Event Log. Check the ePO logs for more

With epo 3.5 / 3.6 the database was fine, but since upgrading to 4 its went from 2 GB to 12GB, I have shrunk the database but its not doing anything. I am not sure why this thing keeps growing like crazy but there is like 43000 items in the event log

when I try to purge the event log under reporting I get this " Failed to purge the Event Log. Check the ePO logs for more information.", doesnt matter if I say 1 day, 1 week, 1 year I get this every time

anyone have any ideas on what the issue is? I cant seem to find anything on this

I should mention that I am using SP2 on there as well, already tried rebooting server etc, no luck sad
11 Replies
Level 7
Report Inappropriate Content
Message 2 of 12

RE: Failed to purge the Event Log. Check the ePO logs for more

of course I should have posted here before, after hours of nothing now its working

I didnt change anything so I have no clue why its working now sad
Level 9
Report Inappropriate Content
Message 3 of 12

RE: Failed to purge the Event Log. Check the ePO logs for more

When my DB reached 20Gb I had that problem.

My solution was to contact Mcafee support and ask for a SQL query that would delete the old events.
Try to open a case and mention the error. They will send you the sql query.

You can try do disable some events from being forwarded to the DB, thus saving space and improving speed.
For example, on my DB the event on the top count is 'scan time exceeded' which happens when the OAS hits an .class, .zip, .rar file. This events can be usefull if you're tunning the VSE exceptions, but after a while you can disable them.

Regards.
Level 7
Report Inappropriate Content
Message 4 of 12

RE: Failed to purge the Event Log. Check the ePO logs for more

well that was short lived, it died shortly after, and then after what I did below I realized the numbers it was giving me was off by a TON !!!

I did this after doing some reading around, this is in SQL 2005

inside MS SQL server management studio

goto databases, EPO4_servername, right click pick new query, type in TRUNCATE TABLE dbo.EPOEvents and then clikc the execute button

it took seconds and it was done

there were over 3 MILLION records in mine 😞

so it went from 12GB to 95MB !!! now its just a BIT faster lol

NOTE::

this dumps all your data in the event log so you will lose data in your dashboard such as the default Malware detection history, but obviously it will rebuild again over time

RE: Failed to purge the Event Log. Check the ePO logs for more

Probably most events are the result of Access protection in VSE. You might want to disable some rules there, or filter events that are generated as a result from it within Configuration > Server Settings.
Level 7
Report Inappropriate Content
Message 6 of 12

RE: Failed to purge the Event Log. Check the ePO logs for more

yeah no kidding I already looked through and killed a bunch of them but I have a ton of 1096 events for firewall but its not in there to remove it?

RE: Failed to purge the Event Log. Check the ePO logs for more

Desktop Firewall? That isn't supported in ePO 4, so that's probably why you cannot filter those. Maybe it's possible to add the Host Intrusion Prevention 7.0 extension to be able to filter the same event id's, but I would strongly suggest upgrading to HIPS 7.0 anyway.
Level 7
Report Inappropriate Content
Message 8 of 12

RE: Failed to purge the Event Log. Check the ePO logs for more

I have no idea what firewall its talking about because there is no firewall on the machines, its saying that the windows cluster software is a firewall 😞

don't get it

C:\WINDOWS\cluster\resrcmon.exe
File Path:
Event Category: Firewall detected
Event ID: 1096
Threat Severity: Notice
Threat Name: User-defined Rules:Prevent mass mailing worms from sending mail
Threat Type: access protection
Action Taken: would block
Threat Handled: true
Analyzer Detection Method: OAS


Event Descriptions
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 9 of 12

RE: Failed to purge the Event Log. Check the ePO logs for more

its saying that you have a user specified rule to block mass mailing within your VSE access protection policies and this is being constantly triggered and then passed on to EPO as events.

just exempt this event from being gathered by EPO

configuration
server settings
event filtering
edit (bottom right)
edit out the ones you dont want
Level 7
Report Inappropriate Content
Message 10 of 12

RE: Failed to purge the Event Log. Check the ePO logs for more

thats the part I dont get, when I go in there I have tons of things obviously but it goes

1094 : port blocking
1095: access protecction
1099: buffer overflow

there is nothing there for 1096 so I cant exclude it 😞

is there a way to add it in so I can exclude it? or is there another way around this?
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community