cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
philrandal
Level 10
Report Inappropriate Content
Message 21 of 33

Re: SQL database is growing 1GB per day since we deployed Agent 5.6.0.878 from ePO

Jump to solution

To find hosts causing the problem, in ePO console, go to

Queries & Reports
New Query
Events
Client Events
Next
Single Group Summary table, and select Host Names in the Labels box

Run that report and home in on hosts with tens of thousands of events. In our case, it was hundreds of thousands.

Cheers,

Phil

philrandal
Level 10
Report Inappropriate Content
Message 22 of 33

Re: SQL database is growing 1GB per day since we deployed Agent 5.6.0.878 from ePO

Jump to solution

@jround wrote:

Same issue here - not so much with the database size yet but the DB/Events folder on the EPO server suddenly grows to hundreds of thousands/millions of files to process all of a sudden!


We had half a million files in DB/Events when I started investigating the problem.

It's now back down to normal.

 

Phil

jround
Level 10
Report Inappropriate Content
Message 23 of 33

Re: SQL database is growing 1GB per day since we deployed Agent 5.6.0.878 from ePO

Jump to solution

Just ran that query and one device has over 20 million events!   About 20 other PCs have over a million

The 20 million PC is turned off at the moment and is a laptop so not quite sure how to resolve that one!

philrandal
Level 10
Report Inappropriate Content
Message 24 of 33

Re: SQL database is growing 1GB per day since we deployed Agent 5.6.0.878 from ePO

Jump to solution

@jround wrote:

Just ran that query and one device has over 20 million events!   About 20 other PCs have over a million

The 20 million PC is turned off at the moment and is a laptop so not quite sure how to resolve that one!


I configured ePO event filtering in Server Settings to ignore the event numbers which we were being flooded with, and then, after agent wakeups on affected machines didn't stop them, reinstalled the agent on the worst offenders, which has slowed the flood of events down to a trickle.  Good luck.

philrandal
Level 10
Report Inappropriate Content
Message 25 of 33

Re: SQL database is growing 1GB per day since we deployed Agent 5.6.0.878 from ePO

Jump to solution

Incidentally, I've only seen this behaviour with Agent 5.6.0.878, it didn't happen with Agent 5.6.0.702 which we'd already rolled out in large numbers.

tao
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 26 of 33

Re: SQL database is growing 1GB per day since we deployed Agent 5.6.0.878 from ePO

Jump to solution

@philrandal , @jround, @twenden, @cdinet worth bookmarking - McAfee managed products generated Event IDs listed in ePolicy Orchestrator - https://kc.mcafee.com/corporate/index?page=content&id=KB54677

 

If this information was helpful or has answered your question, please select Accept as Solution. This will assist other memebers
jround
Level 10
Report Inappropriate Content
Message 27 of 33

Re: SQL database is growing 1GB per day since we deployed Agent 5.6.0.878 from ePO

Jump to solution

I am guessing there is an issue with 5.6.0.878 as that is the only real change in our McAfee environment over the last few weeks.

If I stop all services on the EPO server then rename the Events folder to Events.old and create a fresh one then restart services the queue processes fine for several hours before suddenly getting clogged up again and I have to repeat the process.

EPOProductEventsMT currently has 113,261,946 rows(!), I did a 90 day purge which found nothing so I've gone down to a 7 day purge which is reducing the count gradually but does suggest the flooding only started within the last 7 days following the agent upgrade.

Not too bothered about losing the log events to view in ePO the main issue is we use Drive Encryption so if the message queue gets jammed our technicians can't encrypt laptops successfully until cleared (as it sends messages to ePO to process)

philrandal
Level 10
Report Inappropriate Content
Message 28 of 33

Re: SQL database is growing 1GB per day since we deployed Agent 5.6.0.878 from ePO

Jump to solution

That's pretty much what we found here.

Run a query of number of events by hostname, and force install the agent on the worst offenders.

That's worked here.

ePO 5.10 Update 3 made no difference, but I didn't expect it to.

Phil

jround
Level 10
Report Inappropriate Content
Message 29 of 33

Re: SQL database is growing 1GB per day since we deployed Agent 5.6.0.878 from ePO

Jump to solution

We use ePO 5.9.1 so I don't think that is too related

It seems to have settled down now however as a side note I did notice OrionSchedulerTaskLogDetailMT had about 60 million rows too - I believe this is the server task log so a bit odd as we have a task running to purge anything older than 7 days from that, I just ran a manual one for anything older than a day and that got back down to more realistic figures (although be warned this grows the ePO DB log file to a crazy amount whilst processing!)

I have disabled the automatic roll out of any further Agent 5.6.0.878 for now just in case

twenden
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 30 of 33

Re: SQL database is growing 1GB per day since we deployed Agent 5.6.0.878 from ePO

Jump to solution

Looks like McAfee has released a KB article wityh info about this issue. It is KB 91418.

 

Environment
McAfee Agent (MA) 5.6.0.878 (HF1264214)
Problem
MA 5.6.0.878 (HF1264214) can experience a problem where the same client events are uploaded to the ePolicy Orchestrator (ePO) server repeatedly. The flood of events results in the following issues:
  • A backlog of unparsed events in the ePO_InstallDir\Db\Events\ folder on ePO server and remote handlers.
  • Reduced performance of the ePO server or remote Agent Handler.
  • Disk space usage issues on the ePO server itself (due to the backlog of events referenced in problem 1) or the SQL database (due to successful parsing of the flood of events).
The masvc_systemname.log file, located in the Agent data directory (ProgramData\McAfee\Agent\logs by default on Windows), reports the following error removing events from the local Agent database during upload:

 event.Critical: Failed in ma_db_transaction_begin, error = 217
System Change
Installed or upgraded to MA 5.6.0.878 (HF1264214).
Cause
MA is unable to obtain a transcation lock on the MA database and remove events that have already been uploaded. 
Solution
Technical Support is investigating this issue. As a temporary measure, implement the following workaround.
Workaround
Disable event generation of event IDs 2401, 2402, 2422, and 2427 from the ePO server's Event Filtering page:
  1. In the ePO console, navigate to Server Settings, Event Filtering.
  2. Edit the Event Filtering and verify that The agent forwards: Only selected events to the server is selected.
  3. Scroll down through the list of events and deselect event IDs 2401, 2402, 2422 and 2427. Deselecting these event IDs prevents the events from being generated at the client (MA) side.
NOTE: Disabling these event IDs within the Event Filtering page only stops further events from being generated. It cannot prevent existing (already generated) events from being uploaded and parsed by the ePO server or remote Agent Handlers.
 

 

 

 

 

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community