I am currently working on a monitoring project for one of our Enterprise Clients. I have set up a virtual environment using –
1. One EPO 3.6.1 Server running on Windows 2003 R2 SP2 (MEM01)
2. One Domain controller running Windows 2003 R2 SP2 (DC01)
3. One Windows XP workstation running SP3. (WRK01)
Each of the servers and the workstation have the EPO Agent Version 220.127.116.114 installed and the VScan client 18.104.22.1681 running DAT 6048, Scan engine 5400.1158 and HotFix Version 8. They are all reporting in EPO and I am able to schedule tasks to run dat updates etc on all the clients. I can see from the Agent logs everything appears to be communicating ok, I have attached the logs from the agent on the workstation and domain controller.
However, when I simulate a virus event by using EiCar or TryGuard. The AV client detects the files as viruses and reports it on screen to the user. I also have notification rule to send events via email to one of my administrator accounts. Each time I use EiCar I see the email sent to the account with a record of the detection. But I don't see any of the events being recorded in the EPO database. When I run a query using native SQL tools or the EPO reports/queries I can't see of the virus events. My detection reports so zero detections.
For the Database I have tried using SQL installation that comes with EPO 3.6.1 and accepted all the defaults. I have also installed EPO on a SQL 2000 database but I get exactly the same problem.
Does anyone have any ideas?
I have not tried that yet. I have tired scapping the enviroment and startng again as a VM. I'll try moving the database to a new server and see what happens.
Is it easy to move the server or will mean re installing the EPO server?
First of all - as I'm sure you're aware - ePO 361 is no longer supported.
In this instance it sounds like the events are not being written to the db by the event parser. If you look in the eventparser.log on the ePO server, are there any errors?
Also - download the latest version of the VirusScan reporting NAP file and check it in. (The latest version I know of is from the VSE 8.7 Patch 3 package.) The report nap is responsible for updating the VSE event handler, which is what allows ePO to understand VSE events.
I have managed to work out what is going on. Thanks for the tip about the eventparser.log file, I found the log and found some errors in it. When I did a search on Google I managed to come across this page -
It turns out the NAPs installation was corrupt. So I have re installed into EPO and restarted the services and jobs a good one