cancel
Showing results for 
Search instead for 
Did you mean: 
georgi_ar
Level 9

DLP events not parsed ePO 5.1.3 (188)

Hi All,

We noticed that not all of the received events are parsed by the ePO and Agent Handler(AH) Server.

In the Events folder on the AH server we can see around 50,200 files (they are not only from the current day). Also there are around 800,000 files in the Debug folder in the AH server.

Most of the communication goes via this AH (located in DMZ).

For the ePO server numbers are smaller - Events folder around 50 files (which seems OK). In the ePO server Debug folder there are around 90,000 files (presume because the communication is less via the ePO and server is able to parse more events without issues)

I can see similar errors in the Eventparser logs from the AH and ePO server.(below is the errors that are seen in the logs)

AH Eventparser log:

0170726090416 E #01656 HOSTDLPEVENT Failed process event. Time elapsed: (in ms): 30875

20170726090416 E #01656 EVNTPRSR source\server.cpp(1218): COM Error 0x80004005, source=(null), desc=(null), msg=Unspecified error

20170726090416 I #01656 EVNTPRSR Succeeded <UpdateEvents>, D:\Program Files (x86)\McAfee\Agent Handler\DB\Events\102a5f25-9ad0-47b4-baf3-957cbec57a94-mc_201707260901011994294962038000006CC.txml, IEPOEventHandler.

20170726090416 I #01308 EVNTPRSR Succeeded <BehaviourBlockEvent>, D:\Program Files (x86)\McAfee\Agent Handler\DB\Events\0f8b6dc1-db6f-410a-9cd2-a3afe06f083e-mc_2017072602254777424170000085C.xml, IEPOEventHandler.

20170726090416 E #01468 HOSTDLPEVENT Error processing event. Error: Unknown exception. Error Code: -2147467259

20170726090416 E #01468 HOSTDLPEVENT Failed process event. Time elapsed: (in ms): 30594

20170726090416 E #01468 EVNTPRSR source\server.cpp(1218): COM Error 0x80004005, source=(null), desc=(null), msg=Unspecified error

20170726090416 E #01120 HOSTDLPEVENT Error processing event. Error: Unknown exception. Error Code: -2147467259

20170726090416 E #01120 HOSTDLPEVENT Failed process event. Time elapsed: (in ms): 30625

ePO Server Event parser log:

20170726091926 E #11144 HOSTDLPEVENT Error processing event. Error: Unknown exception. Error Code: -2147467259

20170726091926 E #11144 HOSTDLPEVENT Failed process event. Time elapsed: (in ms): 30610

20170726091926 E #11144 EVNTPRSR source\server.cpp(1218): COM Error 0x80004005, source=(null), desc=(null), msg=Unspecified error

20170726091926 E #15456 HOSTDLPEVENT Error processing event. Error: Unknown exception. Error Code: -2147467259

20170726091926 E #15456 HOSTDLPEVENT Failed process event. Time elapsed: (in ms): 30640

20170726091926 E #15456 EVNTPRSR source\server.cpp(1218): COM Error 0x80004005, source=(null), desc=(null), msg=Unspecified error

20170726091926 E #15456 EVNTPRSR source\server.cpp(1285): Failed to process file D:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\Events\b929409b-43c6-4e3b-ab58-836c419460ac-mc_20170725121709883003000001694.xml.

Unfortunately I was not able to find any information for this error code.

It seems that all events that are not being parsed are from Host DLP product.(Note that there are events from DLP that are parsed OK)

Here is some additional information about the DLP configuration.

We noticed that the following Threat Events from DLP have high numbers in our DB: (our retention period for keeping DLP events is 6 months)

ThreatName                                    Event Count

Monitor All Bluetooth Devices 2661848
Monitor All Windows Portable Devices 813745

Also we noticed that the purge server task for the DLP events is taking huge amount of time. (e.g. for 83hours it manage to complete only 20%)

Extension version:  10.0.200.19

DLP client agent versions:

Version          Number of systems

10.0.250.32

4,258

10.0.250.92

2,849

9.4.230.102

2,027

9.4.200.652

518

10.0.200.392

308

9.4.103.42

10

9.4.100.942

4

0 Kudos
2 Replies
chrisnlc
Level 10

Re: DLP events not parsed ePO 5.1.3 (188)

Did you get a resolution to this? I have the same issue with specific 9.4 Patch 1 Mac clients. In ePo I see:

20170817100659    E    #07772    HOSTDLPEVENT    Error processing event. Error: Unknown exception. Error Code: -2147467259

20170817100659    E    #07772    HOSTDLPEVENT    Failed process event. Time elapsed: (in ms): 218

20170817100659    E    #07772    EVNTPRSR    source\server.cpp(1106): COM Error 0x80004005, source=(null), desc=(null), msg=Unspecified error

After some Googling I found something about timeouts but ~200 ms can't be a timeout.

If you run this batch file in the events folder does the output (macos.txt) show a single version?

@echo off

echo Processing events

del macos.txt

for %%1 in (*.txml) do @findstr /i "ersion" %%1 >> macos.txt

for %%1 in (*.xml) do @findstr /i "ersion" %%1 >> macos.txt

0 Kudos
georgi_ar
Level 9

Re: DLP events not parsed ePO 5.1.3 (188)

No resolution so far.

As a workaround we've stopped monitoring Removable devices which were generating huge amount of events and was stressing the ePO/DB server.

We dont have DLP on MAC systems.

I've run the script on the DEBUG folder as after stopping monitoring the Removable Devices via DLP ePO manage to process the events in the EVENTS folder.

Results from the script are that I can see different versions for the DLP events.

I think my issue is related to bad performance of ePO/DB server and not able to process the large number of events in a timely manner.

However, we've build our environment as per the best practices and even increased the resources for the AH, ePO and DB server without any positive affect.

For now we are with no monitoring. When we decide again to start monitoring and if the issue re-occur (which I am sure will happen) we will most probably as McAfee for assistance to narrow down whether is performance or a product issue. Till then I'll hope we will be able to upgrade the ePO to 5.9 which could increase the performance in some way.