5 Replies Latest reply on Sep 28, 2010 4:00 AM by tonyb99

    Event Processing failing

      Hi,

      I have just setup a new ePO 4.5 two node cluster and have the following issue:
      When the second node is active, my event processing doesn't work...

      Here is an example of what i see in my eventparser.log:

      20091026135644 I #6572 EVNTPRSR PerfMon reporting thread started
      20091026135644 I #6324 EVNTPRSR Initializing Server...
      20091026135644 I #6324 EVNTPRSR EventParser Started.
      20091026140419 E #7820 EVNTPRSR server_ProcessXMLFile: Failed to create parser extension for <HostIPS7>, hr=0x80040154
      20091026140419 I #7820 EVNTPRSR Process E:\PROGRA~1\McAfee\EPOLIC~1\db\Events\z0006f9a1ffd-0532-4e2f-a9d7-4d5948ce1955- 20091026140053914898200000590.txml succeeded (IEPOEventHandler)
      20091026140744 I #7968 EVNTPRSR Process E:\PROGRA~1\McAfee\EPOLIC~1\db\Events\z0001fb40e59-4c1d-4d75-9968-a059639cde87- 200910261404273823684000012D8.txml succeeded (IEPOEventHandler)
      20091026140914 E #7820 EVNTPRSR server_ProcessXMLFile: Failed to create parser extension for <HostIPS7>, hr=0x80040154
      20091026140914 E #7820 EVNTPRSR server_ProcessXMLFile: Failed to create parser extension for <HostIPS7>, hr=0x80040154
      20091026140924 E #7968 EVNTPRSR server_ProcessXMLFile: Failed to create parser extension for <VirusDetectionEvent>, hr=0x80040154
      20091026140924 E #7968 EVNTPRSR server_ProcessXMLFile: Failed to create parser extension for <VirusDetectionEvent>, hr=0x80040154
      20091026140924 E #7968 EVNTPRSR server_ProcessXMLFile: Failed to create parser extension for <VirusDetectionEvent>, hr=0x80040154
      20091026140924 E #7968 EVNTPRSR server_ProcessXMLFile: Failed to create parser extension for <VirusDetectionEvent>, hr=0x80040154
      20091026141419 E #7820 EVNTPRSR server_ProcessXMLFile: Failed to create parser extension for <Fw7BlockedApplicationEvent>, hr=0x80040154
      20091026141419 E #7820 EVNTPRSR server_ProcessXMLFile: Failed to create parser extension for <Fw7BlockedApplicationEvent>, hr=0x80040154
      20091026141419 E #7820 EVNTPRSR server_ProcessXMLFile: Failed to create parser extension for <Fw7BlockedApplicationEvent>, hr=0x80040154
      20091026141419 E #7820 EVNTPRSR server_ProcessXMLFile: Failed to create parser extension for <Fw7BlockedApplicationEvent>, hr=0x80040154
      20091026141419 E #7820 EVNTPRSR server_ProcessXMLFile: Failed to create parser extension for <Fw7BlockedApplicationEvent>, hr=0x80040154
      20091026141419 E #7820 EVNTPRSR server_ProcessXMLFile: Failed to create parser extension for <Fw7BlockedApplicationEvent>, hr=0x80040154
      20091026141419 E #7820 EVNTPRSR server_ProcessXMLFile: Failed to create parser extension for <Fw7BlockedApplicationEvent>, hr=0x80040154
      20091026141419 E #7820 EVNTPRSR server_ProcessXMLFile: Failed to create parser extension for <Fw7BlockedApplicationEvent>, hr=0x80040154
      20091026141419 E #7820 EVNTPRSR server_ProcessXMLFile: Failed to create parser extension for <Fw7BlockedApplicationEvent>, hr=0x80040154
      20091026141419 E #7820 EVNTPRSR server_ProcessXMLFile: Failed to create parser extension for <Fw7BlockedApplicationEvent>, hr=0x80040154
      20091026141419 E #7820 EVNTPRSR server_ProcessXMLFile: Failed to create parser extension for <Fw7BlockedApplicationEvent>, hr=0x80040154
      20091026141419 E #7820 EVNTPRSR server_ProcessXMLFile: Failed to create parser extension for <Fw7BlockedApplicationEvent>, hr=0x80040154

      As soon as I fail back to my first node, the log errors go away and the event processing returns to normal.

      Any ideas?
        • 1. Re: Event Processing failing

          I have the same problem:

           

           

          "20091105105016    E    #5136    EVNTPRSR    server_ProcessXMLFile: Failed to create parser extension for <BehaviourBlockEvent>, hr=0x80040154
          20091105105016    E    #5136    EVNTPRSR    server_ProcessXMLFile: Failed to create parser extension for <BehaviourBlockEvent>, hr=0x80040154
          20091105105016    E    #5136    EVNTPRSR    server_ProcessXMLFile: Failed to create parser extension for <BehaviourBlockEvent>, hr=0x80040154
          20091105105016    E    #5136    EVNTPRSR    server_ProcessXMLFile: Failed to create parser extension for <BehaviourBlockEvent>, hr=0x80040154
          20091105105016    E    #5136    EVNTPRSR    server_ProcessXMLFile: Failed to create parser extension for <BehaviourBlockEvent>, hr=0x80040154"

           

          I restarted McAfee Event Parser service it doesn't help, I checked and this service is running under Local system account.

          • 2. Re: Event Processing failing

            I think i fixed my problem.

            I installed extension VSE870LMLRP2.Zip again and found that it added VirusScan Enterprise Reports 1.1.0.146.

            After server restart now I see events in Thread event log.

            • 3. Re: Event Processing failing

              We had a similar issue with our clustered ePO 4.5 environment and it ended up being specific dll's that were not registered on the secondary node.

               

              Andrew

              • 4. Re: Event Processing failing
                RMCCULLO

                Yes, when you check in the VSE reporting extension it attempts to remove and write a VSCoreBll.dll to the install path, and most of the times (on busy servers) this file is already in use by eventparser. So it creates a second copy called AlternateVSCoreBll.dll. When both are loaded you will have issues processing events.

                 

                To prevent this in the furture you can do one a two things...

                • Stop the Apache and EventParser Services, leaving the Tomcat (application) services started. Then check in the reporting extension.

                OR

                • Remove the Reporting Extension in Question First. Then check in the updated copy.
                • 5. Re: Event Processing failing
                  tonyb99

                  what about if you are getting the same error in the event log on an agent handler rather than an epo server itself?

                   

                  Failed to create parser extension for <TaskStatusEvent>, hr=0x80040154