8 Replies Latest reply on Oct 26, 2010 2:48 PM by CIPHENT.com

    ePO 4.5 - How to create a query that extracts data from the Server Task Log

    pschmehl

      I just brought up a new install of ePO 4.5 to replace our 4.0 server.  We're not migrating or upgrading.  I'm forcing an agent install on existing clients to move them to the new server.  I do this by selecting rogue systems that are unmanaged and then doing a forced agent deployment.  This works fine except for some systems to which I do not have access.  (This could be for various reasons - not domain members, not inheriting GPOs, misconfigured, removed our admin group from the Local Administrator Group, etc., etc.)

       

      I'd like to create a query that extracts from the Server Task Log only those deployments that have a failed due to an access rights problem.  Some machines will time out because they're not on the network at the time of the task or they're unreachable for some reason, but some machines fail because I don't have sufficient rights to do the install.  The error message in the Server Task Log is "Failed to authenticate with remote system, system error: Logon failure: unknown user name or bad password."

       

      I looked through the Queries but didn't see anything that allowed me to query for this data.  Is there a way to do this?

        • 1. Re: ePO 4.5 - How to create a query that extracts data from the Server Task Log
          abakali

          Check the query under the "Feature Group" Logging --> Audit Log Entries and Task log Entries

          • 2. Re: ePO 4.5 - How to create a query that extracts data from the Server Task Log
            pschmehl

            abakali wrote:

             

            Check the query under the "Feature Group" Logging --> Audit Log Entries and Task log Entries

             

            I have that Feature Group, and I have created a query from it.  I have created a query that extracts the logs for only those events that include failures.  My problem is that this is a top level query and doesn't get me the information I want directly.  I have to open each matching log entry, locate the failed deployments and then open each of them to see what system failed.  I want a query that returns *only* those systems that failed - system name and failure message.

             

            This is the sql query "select [OrionTaskLogTask].[Name], [OrionTaskLogTask].[StartDate], [OrionTaskLogTask].[Status], [OrionTaskLogTask].[TaskSource], [OrionTaskLogTask].[Id] from [OrionTaskLogTask] where ( ( ( [OrionTaskLogTask].[Status] = 0 ) or ( [OrionTaskLogTask].[Status] = 1 ) ) and ( [OrionTaskLogTask].[Id] in ( select [OrionTaskLogSubtask].[ParentId] from [OrionTaskLogSubtask] where ( ( [OrionTaskLogSubtask].[Status] = 1 ) ) ) ) )"

             

             

            Message was edited by: pschmehl on 10/24/10 10:46:35 AM CDT
            • 3. Re: ePO 4.5 - How to create a query that extracts data from the Server Task Log
              pschmehl

              pschmehl wrote:

               

              abakali wrote:

               

              Check the query under the "Feature Group" Logging --> Audit Log Entries and Task log Entries

               

              I have that Feature Group, and I have created a query from it.  I have created a query that extracts the logs for only those events that include failures.  My problem is that this is a top level query and doesn't get me the information I want directly.  I have to open each matching log entry, locate the failed deployments and then open each of them to see what system failed.  I want a query that returns *only* those systems that failed - system name and failure message.

               

              This is the sql query "select [OrionTaskLogTask].[Name], [OrionTaskLogTask].[StartDate], [OrionTaskLogTask].[Status], [OrionTaskLogTask].[TaskSource], [OrionTaskLogTask].[Id] from [OrionTaskLogTask] where ( ( ( [OrionTaskLogTask].[Status] = 0 ) or ( [OrionTaskLogTask].[Status] = 1 ) ) and ( [OrionTaskLogTask].[Id] in ( select [OrionTaskLogSubtask].[ParentId] from [OrionTaskLogSubtask] where ( ( [OrionTaskLogSubtask].[Status] = 1 ) ) ) ) )"

               

               

              Message was edited by: pschmehl on 10/24/10 10:46:35 AM CDT

               

              I exported this query (which is working fine but doesn't give me the detail that I want without having to drill down).

               

              Here's the resultant xml, broken down by element:

               

              <queries>
              <query>

              <name language="en">Task Log Entries For Logon Failures</name>

              <description language="en"></description>

              <property name="target">OrionTaskLogTask</property>

              <property name="tableURI">query:table?orion.table.columns=OrionTaskLogTask.Name%3AOrionTa skLogTask.StartDate%3AOrionTaskLogTask.Status%3AOrionTaskLogTask.TaskSource&amp; orion.table.order=az&amp;orion.table.order.by=OrionTaskLogTask.Name%3AOrionTaskL ogTask.StartDate%3AOrionTaskLogTask.Status%3AOrionTaskLogTask.TaskSource</proper ty>

              <property name="conditionURI">query:condition?orion.condition.sexp=%28+where+%28+and+%28+ or+%28+eq+OrionTaskLogTask.Status+0++%29+%28+eq+OrionTaskLogTask.Status+1++%29+% 29+%28+eq+OrionTaskLogSubtask.Status+1++%29+%28+newerThanAbsolute+OrionTaskLogSu btask.StartDate+1287666000000++%29+%29+%29</property>

              <property name="summaryURI">query:summary?orion.sum.query=false&amp;orion.query.type=tabl e.table</property>

              </query>
              </queries>

               

              I took this exact xml and altered it to provide the results that I really want, which is the name of the host(s) that failed from all log files later than the specified date.

               

              <queries>

              <query>

              <name language="en">Task Log Entries For Logon Failures By SubTask</name>

              <description language="en"></description>

              <property name="target">OrionTaskLogSubTask</property>

              <property name="tableURI">query:table?orion.table.columns=OrionTaskLogSubTask.Name

              %3AOrionTaskLogSubTask.StartDate

              %3AOrionTaskLogSubTask.Status&amp;orion.table.order=az&amp;orion.table.order.by= OrionTaskLogSubTask.Name

              %3AOrionTaskLogSubTask.StartDate%3AOrionTaskLogSubTask.Status</property>

              <property name="conditionURI">query:condition?orion.condition.sexp=%28+where+%28+and+%28+ or+%28+eq

              +OrionTaskLogSubtask.Status+1++%29+%28+newerThanAbsolute+OrionTaskLogSubtask.Sta rtDate+1287666000000++%29+%29+

              %29</property>

              <property name="summaryURI">query:summary?orion.sum.query=false&amp;orion.query.type=tabl e.table</property>

              </query>

              </queries>

               

              When I try to import this query, I get a "You are not authorized for this operation" error.  When I try to import the originally exported query, it imports fine.  I'm logged in as the service account that owns ePO and its database and is global administrator for ePO 4.5.

               

               

              Message was edited by: pschmehl on 10/25/10 2:05:05 PM CDT
              • 4. Re: ePO 4.5 - How to create a query that extracts data from the Server Task Log
                JoeBidgood

                Unfortunately this isn't going to work, I'm afraid    The query builder doesn't implement the complete range of SQL commands, so the import fails.

                I think at this point the best approach is to enter an FMR to get the subtasks information exposed to the query builder. In the meantime you're probably going to have to run your query directly against the DB rather than through ePO.

                 

                Sorry

                 

                Regards -

                 

                Joe

                • 5. Re: ePO 4.5 - How to create a query that extracts data from the Server Task Log
                  pschmehl

                  JoeBidgood wrote:

                   

                  Unfortunately this isn't going to work, I'm afraid    The query builder doesn't implement the complete range of SQL commands, so the import fails.

                  I think at this point the best approach is to enter an FMR to get the subtasks information exposed to the query builder. In the meantime you're probably going to have to run your query directly against the DB rather than through ePO.

                   

                  Sorry

                   

                  Regards -

                   

                  Joe

                   

                  Thanks, Joe.  What is an FMR?

                   

                  Also, I have found several problems with ePO 4.5 since installing it.  Should I open tickets for these?  Report them here?  What's the best way to get them in the hopper for debugging?

                  • 6. Re: ePO 4.5 - How to create a query that extracts data from the Server Task Log
                    JoeBidgood

                    pschmehl wrote:

                     

                    Thanks, Joe.  What is an FMR?

                     

                     

                     

                    FMR stands for Feature Modification Request... although come to think of it they may have been given a new name recently: I think there's a customer-facing web page for entering them. Possibly one of the other posters knows what it is - otherwise I'll try and dig it out.

                     

                     

                     

                    Also, I have found several problems with ePO 4.5 since installing it.  Should I open tickets for these?  Report them here?  What's the best way to get them in the hopper for debugging?

                     

                     

                    By all means report them here - if it turns out that they warrant a closer look you'll need to open a case for them.

                     

                    HTH -

                     

                    Joe

                    • 7. Re: ePO 4.5 - How to create a query that extracts data from the Server Task Log
                      pschmehl

                      JoeBidgood wrote:

                       

                      pschmehl wrote:

                       

                      Thanks, Joe.  What is an FMR?

                       

                       

                       

                      FMR stands for Feature Modification Request... although come to think of it they may have been given a new name recently: I think there's a customer-facing web page for entering them. Possibly one of the other posters knows what it is - otherwise I'll try and dig it out.

                       

                       

                       

                      Also, I have found several problems with ePO 4.5 since installing it.  Should I open tickets for these?  Report them here?  What's the best way to get them in the hopper for debugging?

                       

                       

                      By all means report them here - if it turns out that they warrant a closer look you'll need to open a case for them.

                       

                      HTH -

                       

                      Joe

                      I'll submit the FMR.

                       

                      I'll start a new thread for the problems I've found with ePO 4.5.

                      • 8. Re: ePO 4.5 - How to create a query that extracts data from the Server Task Log

                        See the following process to submit a PER aka...FMR

                         

                        Information about Product Enhancement Requests for McAfee products and Feature Requests for legacy Secure Computing products

                        https://kc.mcafee.com/corporate/index?page=content&id=KB60021

                         

                        David