9 Replies Latest reply on May 12, 2011 6:12 AM by zain

    High CPU utilization - Event parser



      Windows Server 2003 VM, 2GB RAM, EPO 4.5,




      We noticed that the server was using an excessive amount of disk space as it was not processing the files in '<install dir>/DB/Events'.The files numbered at about 1.3 million.The DB eventparser log showed a reoccuring error error messages


      20100428092424    E    #3604    NAEPODAL    CEPODAL::ExecQuery: COM Error(0x80040E07) Error converting data type varchar to uniqueidentifier.
      20100428092424    E    #3604    VseBll      DAL->ExecQuery failed. hr=80040e07
      20100428092424    E    #3604    EVNTPRSR    server_ProcessXMLFile: COM Error :80004005 server_ProcessXMLFile
      20100428092424    E    #3604    EVNTPRSR    Meaning = Unspecified error
      20100428092424    E    #3604    EVNTPRSR    Source = (null)
      20100428092424    E    #3604    EVNTPRSR    Description = (null)


      We have read various KBs which suggested the rechecking in of the virusscan 8.7 reports extention which seemed to help as the DB logs began to indicated that the events were successful.However, the event parser soon started generating errors again leading to high CPU utilization and the disk space is rapidly being utilized again. I have logged a call Mcafee support where they have request that I upload the MER logs for ePO but due to the high CPU utilization and high amount of files in the '<install dir>/DB/Events' folder, the MER too crashes while it is running.


      Can anyone please assist here

        • 1. Re: High CPU utilization - Event parser

          This certainly looks like it needs to be passed to support. As a suggestion, stop the three ePO services while you run the MER tool - we will definitely need the MER results for this.

          The errors themselves are related to VSE events: please make sure you have checked in the latest VSE report extension (which is in the VSE + P3 repost package on the download site.) The report extensions are responsible for installing the event handlers that allow ePO to interpret a product's events.  I don't necessarily expect this to cure the problem, but it may help.


          If the size of the folder is a problem, then you can stop the services, rename the Events folder to Events_old, create a new Events folder and then start the services again. This should give you your performance back, but the folder will still fill until a proper solution is available. Once a solution is in place you'll be able to move the events into the new events folder and they'll be processed into the DB.


          Regards -



          • 2. Re: High CPU utilization - Event parser

            Hi Joe, thanks for the quick reponse. I have started rerunning the MER tool to collect the logs to forward it. Would you ned the details of the contents in the DB/Events folder? I ask as this is preventing us from providing the MER logs. Also, I have checked in the latest virusscan extention -

            • 3. Re: High CPU utilization - Event parser

              We certainly won't need the entire contents of the events folder   But a random selection of about 20 files would be useful - that will tell us if they're all from a particular product, or a particular event type.

              Is the contents of the folder preventing the mer tool from running in some way?


              Regards -



              • 4. Re: High CPU utilization - Event parser

                When the MER tool tries to scan the /db/events folder, it eventually crashes. I think it may be related to the amount of files its checking for

                • 5. Re: High CPU utilization - Event parser

                  Hmmm, okay - that makes sense...


                  If at all possible, stop the services, and move the events folder out of the ePO directory structure - put it on the root of the drive, for example. Then the mer tool won't try and scan it.

                  Once that's done, pipe a directory listing to a text file (e.g. dir c:\events /s > c:\events_list.txt) and send that in as well. Then you can put the events folder back where it belongs.


                  HTH -



                  • 6. Re: High CPU utilization - Event parser

                    I have similar issue with hdlp events.Current with T3. 3-1013187244.Appreciate any suggestions.

                    • 7. Re: High CPU utilization - Event parser

                      Sometimes is more helpful to search on the communities forum than to call the TechSupport. I’ve spent more than an hour trying to explain to the T1 support guy why I couldn’t get the MER report from the ePO console server. The only advice he could provide it was to restart the EventParser service, and of course that didn’t help at all.

                      Thanks to your posts, I was finally able to get the MER report. Keep up the good work!



                      on 10/29/10 1:33:15 AM CDT
                      • 8. Re: High CPU utilization - Event parser

                        We are in the same situation. (Win2003SP2, epo4.5P3, SQL2005 fat same box)


                        EventParser service consuming loads of CPU. Backup gets stuck trying to backup events folder. Events folder is over 2Gb in size.


                        I am moving PKG, txml, etc files from the events folder to a another partition and will delete everything from Events folder. Will run MER tool and hope mcafee will be able to help (I bet they are going to tell me to patch epo to level 4)


                        We could not a get a reliable backup this week due to this issue.


                        Any other thoughts????

                        • 9. Re: High CPU utilization - Event parser

                          Hi Red Baron. This could be a couple of things. Here's what to do:


                          1. stop the McAfee ePO event parser service

                          2. rename the DB\events folder(e.g event.old)

                          3. create a new events folder and restart the event parser service


                          Once it starts monitor the event log for a while and check the event parser log(DB\logs\eventparser.log) for errors. Once you check the log, there a few different scenarios that may arise:


                          1. No errors - This means that you may need to add some more CPU power. This is due to your machine running at constant high-CPU utilization and there for cannot process the events in the parser. Renaming the folder would have emptied the parser files in the que allowing them to to now be processed normally.


                          2. Constant errors - You would have to check the log for the error code to see what's the cause but its would most likely be a corrupt extention. Re-check in all the extentions for your application versions,eg, the correct VSEreports for your version. I understand that the extentions are also backward compatible.


                          3. Some errors - There may be machine/s that are sending corrupt data, identify these machines and reinstall the McAfee products.


                          If this didnt help drop me a PM and we'll take it from there. Have you logged a call with McAfee support yet?