cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 7
Report Inappropriate Content
Message 1 of 24

ePo Threat event log isn't working

Jump to solution

Hey,

I have ePo 5.10.0, and for some reason in one of the days, I tried to log into the threat event log and the events doesn't load,

I tried also querying the DB but it seems that I can't even query it since it's stuck in querying state.

Have can I start troubleshooting this?

Thanks!

1 Solution

Accepted Solutions
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 24 of 24

Re: ePo Threat event log isn't working

Jump to solution

I was on remote with the customer , so the EPO 5.10 was without any CU. We stop the epo services , access the both databases under the ssms , shrink the databases transaction logs and databases , apply cu 8 , server tasks start working properly. The issue has been resolved.

View solution in original post

23 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 24

Re: ePo Threat event log isn't working

Jump to solution

Hello @erez 

Thanks for your response.

once you are clicking on the Threat events logs what exactly is happening ?

have you tried doing the filter in preset option like last 7 days or 30 days?


Please check the Orion.log and see whether you are seeing any error in the logs.

Also can you please us know what exactly is happening at the database side?

database is in recovery mode or pending mode?

please help us with more details.

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 24

Re: ePo Threat event log isn't working

Jump to solution

To troubleshoot issue with event parsing, please look at #: 

https://kc.mcafee.com/corporate/index?page=content&id=KB53035

 

Highlighted
Level 7
Report Inappropriate Content
Message 4 of 24

Re: ePo Threat event log isn't working

Jump to solution

Hey!

So I tried filtering it down but nothing didn't work, so I tried the magic "restart" and suddenly I got lots of tasks that started to work, which is weird since all the tasks stopped working for like a month already.

I tried looking again in the Threat event log and still, nothing has displayed, and after a while, I noticed that all the tasks that have started got stuck, so I restarted the computer again, and again suddenly all the tasks that got stuck, got completed this time, and this time even the Threat event log is working again!

But now, every new task does not complete, even a small one as deploying an agent, but only after I restart the computer the tasks are continuing for the first couple of minutes and then getting stuck again.

I went through this:

https://kc.mcafee.com/corporate/index?page=content&id=KB81604

And I uploaded a snipped of the orion.log with a DEBUG settings.

Regarding if the database is in recovery mode or pending mode, I truly have no idea how to check that, can you guide me on how to check this?

Thanks for your help!

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 24

Re: ePo Threat event log isn't working

Jump to solution

Debug logging should only be enabled if requested, as logs roll too quickly and without time frames for a reference, it is like looking for a needle in a haystack.  I have several questions.

What version of epo are you running?  If you run netstat -an when issue exists, do you see a huge amount of sql connections open?  Can you get an output of the following query in sql - it won't contain any sensitive info, so it is safe to post.

select name, version from orionextensions

Please also get this output.

If running epo 5.9, Select * from OrionTaskQueueMT where taskdescription like '%dbclean%' or taskdescription like '%task.queue%'

If running epo 5.10, Select * from OrionTaskQueueMT where taskdescription like '%DB Clean-up%' or taskdescription like '%task queue%'

 

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Highlighted
Level 7
Report Inappropriate Content
Message 6 of 24

Re: ePo Threat event log isn't working

Jump to solution

Hey!

I'm running ePolicy Orchestrator 5.10.0 (Build 2428),

Regarding the SQL connection amount, not sure how much is a huge amount of SQL connections but from what I counted there is something like 40 connections give or take.

Regarding the SQL Output, I uploaded it in the attachment.

As far as I can tell, I stopped getting again events in the Threat event log, and can't perform any tasks, I noticed also that I have 25 tasks that are "in progress" but are stuck in that stage.

Waiting for your replay,

Thanks!

 

 

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 7 of 24

Re: ePo Threat event log isn't working

Jump to solution

Have you installed any updates in epo 5.10?  The default install was missing an internal db cleanup task, which if you ran the query for 5.10, it shows you are missing that.  It should have returned 3 rows.  So now, before installing any updates, we need to see what state things are in.

select count (*) from epocomputerpropsstaging

select count (*) from epoagenthandlerdatachannelwqmt

The netstat count is fine - when it is a problem is when there are 10k+ connections, which is a connection leak.  You don't have that.  

Depending on the counts of those tables, we can proceed with installing update 9.  If you have any previous updates installed, then we would need to follow KB84114 to restore the task.

If the counts are high, as in over 10k, for example, we may want to truncate those tables first before doing anything else.  Otherwise the dbcleanup may not be able to keep up cleaning those out since it runs every minute.

If the counts are low, then if no updates are installed, run cu9 install (make sure you have complete backups of epo and db first).  Otherwise, kb84114.

 

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Highlighted
Level 7
Report Inappropriate Content
Message 8 of 24

Re: ePo Threat event log isn't working

Jump to solution

Hey!

To be honest, I didn't setup the server from the beginning as I just got into the role,

So I don't know if the guy that setup the server installed any updated,

can you guide me through how to check if there were any updates installed?,

and also the one for complete backups of epo and db ?

Regarding the SQL query's I attached the pictures.

So basically there is an update that was missing?

Thanks for your help!

 

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 9 of 24

Re: ePo Threat event log isn't working

Jump to solution

Go to server settings, server information.  It will show you there if any updates have been applied or not.

As for what to back up, there is a disaster recovery snapshot task that should be running daily (only if not using sql express, as that will consume too much space for it).  If that is successfully running, follow KB66616 for what folders in epo to back up and you should also have daily database backups.  If you are unsure of the disaster recovery snapshot password, then go to server settings, disaster recovery, and reset it there, run the DR snapshot recovery task, then back up everything after that completes.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Highlighted
Level 7
Report Inappropriate Content
Message 10 of 24

Re: ePo Threat event log isn't working

Jump to solution

Hey,

So I went to the server settings and it shows me a blank page (see attachment),

Is this is how it supposed to be? or does this means that there are no updates applied?

Regarding the disaster recovery snapshot task, it's a bit of an issue since all the tasks that I'm trying to perform don't work.. is there any way around this? or is it just getting weirder and weirder?

Thanks!!

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community