cancel
Showing results for 
Search instead for 
Did you mean: 

EPO 5.9.0 Testing, Threat Events and Web Control going to Debug Folder

Jump to solution

Hello all, I am doing some testing of EPO 5.9.0, ENS 10.5.2 and 10.5.3. Threat Protection, Web control, and Adaptive Threat Protection

(TEST VM and Windows 7 client).

So my question is.. if you are running EPO 5.9.0 and ENS 10.5.X ... are you seeing events in EPO ?

Just looking for feedback, I will open a support case if needed.

Thanks

1 Solution

Accepted Solutions
Highlighted

Re: EPO 5.9.0 Testing, Threat Events and Web Control going to Debug Folder

Jump to solution

Hello I worked with McAfee support and it was determined that the EPExtendedEventMT table was corrupted (unknown reason).

Since the problem was just on my Test VM and not in production, I used the suggested method below to restore processing.

• Take a VM snapshot of my EPO Server

• Back up your policies/assignments for ENS

• delete the extension

• restart ePO services

• go in and confirm the EPExtendedEventMT table no longer exists

• reinstall ENS related extensions

• Import Policies and assignments

• confirm the table gets rebuilt

• then put those debug events into the regular event folder and see if they parse successfully

Should this happen in production, support would have to obtain a copy of the SQL database

or review it remotely to see what parts of the tables contain corupted content and correct it.

Hope no one has to go through this

3 Replies

Re: EPO 5.9.0 Testing, Threat Events and Web Control going to Debug Folder

Jump to solution

Hi,

I have also had exactly the same issue.I come across this KB and it fixed it for me.

McAfee Corporate KB - Cannot execute as the database principal because the principal "dbo" does not ...

Check the event parser log here - C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\Logs I had the error  "-epoevents_dbinfo.cpp(163): COM Error 0x80040E14, source=Microsoft OLE DB Provider for SQL Server, desc=Cannot execute as the database principal because the principal "dbo" does not exist, this type of principal cannot be impersonated, or you do not have permission., msg=IDispatch error #3092" multiple times. All my events were going straight to the debug folder.

Hope this helps.

Re: EPO 5.9.0 Testing, Threat Events and Web Control going to Debug Folder

Jump to solution

Thanks very much, that's a good KB to know about. I think I have a different problem. I have a support case open 4-18124284531.

comment from support:

> seems there is an issue with table 'ePO_WIN-HFHOUHRK54N.dbo.EPExtendedEventMT'

on events below found in eventparser log:

20171116163536 E #03520 EPOEVENTS epoevents.cpp(46): COM Error 0x80040E2F, source=Microsoft OLE DB Provider for SQL Server, desc=Cannot insert the value NULL into column 'EventAutoID', table 'ePO_WIN-HFHOUHRK54N.dbo.EPExtendedEventMT'; column does not allow nulls. INSERT fails., msg=IDispatch error #3119

20171116163536 E #03500 EPOEVENTS epoevents.cpp(66): COM Error 0x80040E2F, source=Microsoft OLE DB Provider for SQL Server, desc=Cannot insert the value NULL into column 'EventAutoID', table 'ePO_WIN-HFHOUHRK54N.dbo.EPExtendedEventMT'; column does not allow nulls. INSERT fails., msg=IDispatch error #3119

20171116163536 E #03500 EVNTPRSR source\server.cpp(1099): COM Error 0x80040E2F, source=(null), desc=(null), msg=IDispatch error #3119

20171116163536 E #03520 EPOEVENTS epoevents.cpp(66): COM Error 0x80040E2F, source=Microsoft OLE DB Provider for SQL Server, desc=Cannot insert the value NULL into column 'EventAutoID', table 'ePO_WIN-HFHOUHRK54N.dbo.EPExtendedEventMT'; column does not allow nulls. INSERT fails., msg=IDispatch error #3119

20171116163536 E #03500 EVNTPRSR source\server.cpp(1163): Failed to process file C:\PROGRA~2\McAfee\EPOLIC~1\DB\Events\4e99caf9-7953-4296-8157-2ca2bb89d213-mc_20171116163504127768600000E6C.txml, XML file error count 46

20171116163536 E #03520 EVNTPRSR source\server.cpp(1099): COM Error 0x80040E2F, source=(null), desc=(null), msg=IDispatch error #3119

Waiting for support to get back to me.. will advise... Thanks again for your feedback.

Highlighted

Re: EPO 5.9.0 Testing, Threat Events and Web Control going to Debug Folder

Jump to solution

Hello I worked with McAfee support and it was determined that the EPExtendedEventMT table was corrupted (unknown reason).

Since the problem was just on my Test VM and not in production, I used the suggested method below to restore processing.

• Take a VM snapshot of my EPO Server

• Back up your policies/assignments for ENS

• delete the extension

• restart ePO services

• go in and confirm the EPExtendedEventMT table no longer exists

• reinstall ENS related extensions

• Import Policies and assignments

• confirm the table gets rebuilt

• then put those debug events into the regular event folder and see if they parse successfully

Should this happen in production, support would have to obtain a copy of the SQL database

or review it remotely to see what parts of the tables contain corupted content and correct it.

Hope no one has to go through this

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator