1 2 Previous Next 15 Replies Latest reply on May 31, 2011 6:11 AM by redbaron51

    ..\DB\Events folder is filling up with *.pkg files

       

      I went to login to our ePO server last night and got an error message that there was 0kb of drive space left. I was able to pin point the following folder as the one that was freaking out on drive space:

       

      '\Program Files\McAfee\ePolicy Orchestrator\DB\Events'

       

      The folder had a little over 2 million files in it and was taking up about 35 gigs worth of drive space; the file names looked like a long string of numbers with a *.pkg extension.

       

      What is causing this and what can I do about it?

       

      Version numbers are - ePolicy Orchestrator 4.0.0 (Build 1333). This server is the web front end; the SQL backend is on a separate server.

       

      Thanks in advance,

       

      PG

        • 1. Re: ..\DB\Events folder is filling up with *.pkg files

          Hi

          Try scheduling a task in the epo for purging the logs once a month or so as per your feasiability

           

          regards

          KS

          • 2. Re: ..\DB\Events folder is filling up with *.pkg files
            JoeBidgood

            The events folder is effectively the queue for events waiting to be written to the database. If they come in faster than the event parser can process them, then the folder will grow.

            The first thing to do is to ensure that the event parser service is running, and check the eventparser.log to see if there are any errors.

            In the short term you can stop the three ePO services and move the contents of the folder to another location, or - if you're not worried about losing data - delete them.

            Depending on the event type, some of these files may be readable in a text editor: I'd recommend opening a few at random and seeing what they are. If they're all virus detection events then you may have an infection that you need to deal with before anything else.

             

            HTH -

             

            Joe

            • 3. Re: ..\DB\Events folder is filling up with *.pkg files
              babatola

              We have a similar issue in our environment.

               

              We run a command to delete this file on a periodic basis to minimise the problem.

               

              this cannot last, so we engaged mcafee and sent mer log but no response.

               

              the epo eventparser service is running, the eop services have been restarted and the server itself reboot, but the issue persist.

               

              Is this a known issue, what could be causing it?

               

              We also have a similar architecture to the one he describes, where the epo is on a seperate server from the SQL server and it connect to remotely.

               

              Is this peculair to this deployment architecture? Or is there a KB to address the issue?

               

              Thanks in advance

              • 4. Re: ..\DB\Events folder is filling up with *.pkg files
                JoeBidgood

                The first step is always to make sure that the event parser is functioning correctly. Can you post the eventparser.log?

                 

                Thanks -

                 

                Joe

                • 5. Re: ..\DB\Events folder is filling up with *.pkg files
                  tonyb99

                  I have had issues with event files from groupshield not being readable in epo 4.0 and 4.5 wich resulted in just this scenario, so def open the earliest ones and check what software they relate to as Joe said

                   

                  restart the parser and see if any stay while the others are processed

                   

                  make sure you have the latest up to date extensions checked in for your point products eg vse, groupshield etc.

                   

                  I eventually had to set a windows server task to restart the parser every hour in one case as even with hotfixes I couldnt process groupshield 6.2 events although it was supported ( until I got rid of that version)

                  • 6. Re: ..\DB\Events folder is filling up with *.pkg files
                    jmcleish

                    Have you both just noticed this in the last couple of days?

                     

                    I've had an issue very similar- in my events folder i had over 100,000 items, so after a reboot the eventparser brought it right back down to about 1,000.

                     

                    I've unchecked a couple of event out of events filtering  that  i noticed were bringing in  quite a lot of events to try and ease the load, but the sqlservr is up at 98% CPU.

                    I did update the vscan 8.7 reports extension becuase i had a quite a  lot  @filename errors in the event parser logfile. this has got rid of  those types of errors (must have forgot to check that in) but still has others (see below).

                     

                    so today i stopped all the services and moved all the files out of the events folder and restarted the server.

                    it appeared OK- but now sits back at 98% CPU. It appears to be processing lots of events sucessfully, but now in the events folder there are 12 files (txml and xml) from 2 hours ago that are going no where.

                    I also have  the folder of 3,600 of unprocessed events from the other day that i've still to drop back into get processed. one file i've just dropped back in hasn't been processed while new ones that have come in have.

                     

                    this just seems to have happened in the last couple of days.

                     

                    I'm at a loss as to what to do!

                     

                    _ now as i type the CPU usage for sqlsvr has gone back to 6%.

                     

                    It appears that when the error below appears the cpu goes back to normal.

                     

                    20101126131546    E    #2612    NAEPODAL    CEPODAL::ExecQuery: COM Error(0x80040E31) Timeout expired
                    20101126131546    E    #2612    VseBll      DAL->ExecQuery failed. hr=80040e31
                    20101126131546    E    #2612    EVNTPRSR    server_ProcessXMLFile: COM Error :80004005 server_ProcessXMLFile
                    20101126131546    E    #2612    EVNTPRSR    Meaning = Unspecified error

                     

                     

                    EDIT:

                    could the xml/txml client events be corrupt?

                     

                     

                     

                     

                    20101126131121    I    #2612    EVNTPRSR    Process C:\PROGRA~1\McAfee\EPOLIC~1\DB\Events\z0006b51bb77-221e-449a-8c8c-ad6ef35a44c8- 201011261309022472760000002AC.txml succeeded (IEPOEventHandler)
                    20101126131126    E    #2672    NAEPODAL    CEPODAL::ExecQuery: COM Error(0x80040E31) Timeout expired
                    20101126131126    E    #2672    VseBll      DAL->ExecQuery failed. hr=80040e31
                    20101126131126    E    #2672    EVNTPRSR    server_ProcessXMLFile: COM Error :80004005 server_ProcessXMLFile
                    20101126131126    E    #2672    EVNTPRSR    Meaning = Unspecified error
                    20101126131126    E    #2672    EVNTPRSR    Source = (null)
                    20101126131126    E    #2672    EVNTPRSR    Description = (null)
                    20101126131126    I    #2672    EVNTPRSR    Process C:\PROGRA~1\McAfee\EPOLIC~1\DB\Events\z000e0be97f1-e7c5-4dec-826b-64164bbce51c- 20101126130734464416000000F44.txml succeeded (IEPOEventHandler)
                    20101126131146    I    #2668    EVNTPRSR    Process C:\PROGRA~1\McAfee\EPOLIC~1\DB\Events\z0000152a3e4-b06c-4f24-91bf-d43ef830ec19- 20101126130711717651700001560.txml succeeded (IEPOEventHandler)
                    20101126131321    I    #2672    EVNTPRSR    Process C:\PROGRA~1\McAfee\EPOLIC~1\DB\Events\z0001674684d-25a2-4334-88b9-438b19b2c0a9- 20101126130859752964100000F94.txml succeeded (IEPOEventHandler)
                    20101126131326    I    #2668    EVNTPRSR    Process C:\PROGRA~1\McAfee\EPOLIC~1\DB\Events\z000bcc6a8bf-3d36-4c4a-9352-603696987deb- 20101126131302761097100000E80.txml succeeded (IEPOEventHandler)
                    20101126131326    I    #2672    EVNTPRSR    Process C:\PROGRA~1\McAfee\EPOLIC~1\DB\Events\z000d583ed0e-9f8a-4612-b3e9-6a5728855c40- 20101126130834209860800000A38.txml succeeded (IEPOEventHandler)
                    20101126131401    I    #2672    EVNTPRSR    Process C:\PROGRA~1\McAfee\EPOLIC~1\DB\Events\z00080579ac8-de05-4dfe-b8be-cda238d99fb5- 2010112613134980756570000029C.txml succeeded (IEPOEventHandler)
                    20101126131411    E    #2612    NAEPODAL    CEPODAL::ExecQuery: COM Error(0x80040E31) Timeout expired
                    20101126131411    E    #2612    VseBll      DAL->ExecQuery failed. hr=80040e31
                    20101126131411    E    #2612    EVNTPRSR    server_ProcessXMLFile: COM Error :80004005 server_ProcessXMLFile
                    20101126131411    E    #2612    EVNTPRSR    Meaning = Unspecified error
                    20101126131411    E    #2612    EVNTPRSR    Source = (null)
                    20101126131411    E    #2612    EVNTPRSR    Description = (null)
                    20101126131421    I    #2668    EVNTPRSR    Process C:\PROGRA~1\McAfee\EPOLIC~1\DB\Events\z0001868c7a7-617b-4e9f-b09f-6c01e2ed52cc- 20101126130949953486500000B90.txml succeeded (IEPOEventHandler)
                    20101126131446    I    #2612    EVNTPRSR    Process C:\PROGRA~1\McAfee\EPOLIC~1\DB\Events\z00093c3d221-26c1-4204-b137-83428b9fb235- 20101126131408290494600000D7C.txml succeeded (IEPOEventHandler)
                    20101126131511    I    #2668    EVNTPRSR    Process C:\PROGRA~1\McAfee\EPOLIC~1\DB\Events\z0007aa5e260-8a13-473e-a734-36438dc63c05- 201011260701384742547000011F0.txml succeeded (IEPOEventHandler)
                    20101126131546    I    #2672    EVNTPRSR    Process C:\PROGRA~1\McAfee\EPOLIC~1\DB\Events\z00077261359-adcf-411c-8e13-2f4919eae7c6- 201011261312506872282000013B4.txml succeeded (IEPOEventHandler)
                    20101126131546    I    #2668    EVNTPRSR    Process C:\PROGRA~1\McAfee\EPOLIC~1\DB\Events\z00006457fd5-31b6-476c-8105-87e792e5d5d3- 20101126131124265820100001294.txml succeeded (IEPOEventHandler)
                    20101126131546    E    #2612    NAEPODAL    CEPODAL::ExecQuery: COM Error(0x80040E31) Timeout expired
                    20101126131546    E    #2612    VseBll      DAL->ExecQuery failed. hr=80040e31
                    20101126131546    E    #2612    EVNTPRSR    server_ProcessXMLFile: COM Error :80004005 server_ProcessXMLFile
                    20101126131546    E    #2612    EVNTPRSR    Meaning = Unspecified error
                    20101126131546    E    #2612    EVNTPRSR    Source = (null)
                    20101126131546    E    #2612    EVNTPRSR    Description = (null)

                     

                     

                     

                     

                    Cheers

                    Jane

                     

                     

                    Message was edited by: jmcleish on 26/11/10 08:21:04 CST
                    • 7. Re: ..\DB\Events folder is filling up with *.pkg files
                      tonyb99

                      Jane when you checked the oldest events that havnt processd were there any specific point products involved?

                      • 8. Re: ..\DB\Events folder is filling up with *.pkg files
                        jmcleish

                        Of the ones from today that are still in the events folder:

                         

                        half in half- 8.5 and 8.7

                         

                        I was just about to start my whole upgrade to 8.7p3 from 8.5p8 when i came across this problem!

                        :-(

                        1 2 Previous Next