1 Reply Latest reply on Aug 17, 2017 4:15 AM by chrisnlc

    DLP events not parsed ePO 5.1.3 (188)

    georgi_ar

      Hi All,

       

      We noticed that not all of the received events are parsed by the ePO and Agent Handler(AH) Server.

      In the Events folder on the AH server we can see around 50,200 files (they are not only from the current day). Also there are around 800,000 files in the Debug folder in the AH server.

      Most of the communication goes via this AH (located in DMZ).

      For the ePO server numbers are smaller - Events folder around 50 files (which seems OK). In the ePO server Debug folder there are around 90,000 files (presume because the communication is less via the ePO and server is able to parse more events without issues)

       

      I can see similar errors in the Eventparser logs from the AH and ePO server.(below is the errors that are seen in the logs)

       

      AH Eventparser log:

       

      0170726090416 E #01656 HOSTDLPEVENT Failed process event. Time elapsed: (in ms): 30875

      20170726090416 E #01656 EVNTPRSR source\server.cpp(1218): COM Error 0x80004005, source=(null), desc=(null), msg=Unspecified error

      20170726090416 I #01656 EVNTPRSR Succeeded <UpdateEvents>, D:\Program Files (x86)\McAfee\Agent Handler\DB\Events\102a5f25-9ad0-47b4-baf3-957cbec57a94-mc_201707260901011994294 962038000006CC.txml, IEPOEventHandler.

      20170726090416 I #01308 EVNTPRSR Succeeded <BehaviourBlockEvent>, D:\Program Files (x86)\McAfee\Agent Handler\DB\Events\0f8b6dc1-db6f-410a-9cd2-a3afe06f083e-mc_201707260225477742417 0000085C.xml, IEPOEventHandler.

      20170726090416 E #01468 HOSTDLPEVENT Error processing event. Error: Unknown exception. Error Code: -2147467259

      20170726090416 E #01468 HOSTDLPEVENT Failed process event. Time elapsed: (in ms): 30594

      20170726090416 E #01468 EVNTPRSR source\server.cpp(1218): COM Error 0x80004005, source=(null), desc=(null), msg=Unspecified error

      20170726090416 E #01120 HOSTDLPEVENT Error processing event. Error: Unknown exception. Error Code: -2147467259

      20170726090416 E #01120 HOSTDLPEVENT Failed process event. Time elapsed: (in ms): 30625

       

      ePO Server Event parser log:

       

      20170726091926 E #11144 HOSTDLPEVENT Error processing event. Error: Unknown exception. Error Code: -2147467259

      20170726091926 E #11144 HOSTDLPEVENT Failed process event. Time elapsed: (in ms): 30610

      20170726091926 E #11144 EVNTPRSR source\server.cpp(1218): COM Error 0x80004005, source=(null), desc=(null), msg=Unspecified error

      20170726091926 E #15456 HOSTDLPEVENT Error processing event. Error: Unknown exception. Error Code: -2147467259

      20170726091926 E #15456 HOSTDLPEVENT Failed process event. Time elapsed: (in ms): 30640

      20170726091926 E #15456 EVNTPRSR source\server.cpp(1218): COM Error 0x80004005, source=(null), desc=(null), msg=Unspecified error

      20170726091926 E #15456 EVNTPRSR source\server.cpp(1285): Failed to process file D:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\Events\b929409b-43c6-4e3b-ab58-836c419460ac-mc_2017072512170988 3003000001694.xml.

       

      Unfortunately I was not able to find any information for this error code.

       

      It seems that all events that are not being parsed are from Host DLP product.(Note that there are events from DLP that are parsed OK)

      Here is some additional information about the DLP configuration.

      We noticed that the following Threat Events from DLP have high numbers in our DB: (our retention period for keeping DLP events is 6 months)

      ThreatName                                    Event Count

      Monitor All Bluetooth Devices 2661848
      Monitor All Windows Portable Devices 813745

      Also we noticed that the purge server task for the DLP events is taking huge amount of time. (e.g. for 83hours it manage to complete only 20%)

       

      Extension version:  10.0.200.19

      DLP client agent versions:

       

      Version          Number of systems

      10.0.250.32

      4,258

      10.0.250.92

      2,849

      9.4.230.102

      2,027

      9.4.200.652

      518

      10.0.200.392

      308

      9.4.103.42

      10

      9.4.100.942

      4

        • 1. Re: DLP events not parsed ePO 5.1.3 (188)
          chrisnlc

          Did you get a resolution to this? I have the same issue with specific 9.4 Patch 1 Mac clients. In ePo I see:

           

          20170817100659    E    #07772    HOSTDLPEVENT    Error processing event. Error: Unknown exception. Error Code: -2147467259

          20170817100659    E    #07772    HOSTDLPEVENT    Failed process event. Time elapsed: (in ms): 218

          20170817100659    E    #07772    EVNTPRSR    source\server.cpp(1106): COM Error 0x80004005, source=(null), desc=(null), msg=Unspecified error

           

          After some Googling I found something about timeouts but ~200 ms can't be a timeout.

           

          If you run this batch file in the events folder does the output (macos.txt) show a single version?

           

          @echo off

          echo Processing events

          del macos.txt

          for %%1 in (*.txml) do @findstr /i "ersion" %%1 >> macos.txt

          for %%1 in (*.xml) do @findstr /i "ersion" %%1 >> macos.txt