5 Replies Latest reply on Jun 24, 2011 9:45 AM by JoeBidgood

    EPO 4.0 Events are empty

    pjhutch

      We have a new McAfee ePO 4.0 server but ever since we have migrated from the old server to the new server, the new server has not picked  up any new events since the migration. This also means that the Malware Detection History graph in the Dashboard is always empty. I have checked and re-checked settings and all the agents have been re-deployed to point to new server, but no events are ever recorded. Any ideas?

        • 1. Re: EPO 4.0 Events are empty
          JoeBidgood

          Before anything else, check that the event parser service is running on the new server: then check the eventparser.log file for any errors.

           

          HTH -

           

          Joe

          • 2. Re: EPO 4.0 Events are empty
            pjhutch

            I checked the event log in c$\Program Files\Mcafee\ePolicy Orchestrator\DB\Logs and I am getting some errors here:

             

            20110624124020 I #3280 McUpload Successfully disabled CA trust options.

            20110624124020 I #3344 McUpload Successfully disabled CA trust options.

            20110624124030 E #3068 EventParser EventParser::PluginCache - Second-chance CoCreateInstance failed, hr=0x80040154

            20110624124030 E #3068 EventParser BLL Extension not found for XML element TaskStatusEvent

            20110624124030 I #3068 EventParser Notification event file C:\PROGRA~1\McAfee\EPOLIC~1\DB\Events\z000df0f1516-e4d2-4e98-860a-99b11b4211af. PKG.xml succeeded

            20110624124030 I #3068 EventParser Success: Extract and process 201106241200087550000116C.xml from C:\PROGRA~1\McAfee\EPOLIC~1\DB\Events\z000df0f1516-e4d2-4e98-860a-99b11b4211af. PKG

            20110624124030 I #3224 McUpload Successfully disabled CA trust options.

            20110624124045 E #3080 EventParser EventParser::PluginCache - Second-chance CoCreateInstance failed, hr=0x80040154

            20110624124045 E #3080 EventParser BLL Extension not found for XML element TaskStatusEvent

            20110624124045 I #3080 EventParser Notification event file C:\PROGRA~1\McAfee\EPOLIC~1\DB\Events\z000267b17b7-3261-47ac-8a3d-6228be856c0f. PKG.xml succeeded

            20110624124045 I #3080 EventParser Success: Extract and process 2011062412000942100000E60.xml from C:\PROGRA~1\McAfee\EPOLIC~1\DB\Events\z000267b17b7-3261-47ac-8a3d-6228be856c0f. PKG

            20110624124045 I #3344 McUpload Successfully disabled CA trust options.

             

            Any ideas?

            • 3. Re: EPO 4.0 Events are empty
              JoeBidgood

              This bit here:

               

              20110624124030 E #3068 EventParser BLL Extension not found for XML element TaskStatusEvent

               

              usually means that one or more reporting extensions are missing. You say you migrated from one server to another - can you explain a bit more about how this was done?

              Additionally, get hold of the latest extensions for the latest version of virusscan that you're using, and check them in - make sure you check in both the management and reporting extension. (So for example if you're running a mix of VSE 8.5 and 8.7, download the latest VSE 8.7 package and check in the extensions.)

               

              HTH -

               

              Joe

              • 4. Re: EPO 4.0 Events are empty
                pjhutch

                In ePO 4 you have to check in the entire application as a ZIP file, just doing the ZIP files inside them does not work - it says it cannot find the pkgcatalog.z file, so doing the entire package should include all the extensions as well.

                 

                So I have managed to check in VirusScan 8.7 Patch 3 and VirusScan 8.8 packages which are the latest we are using. I will leave it a few days to see if it will pick up new events in the database.

                • 5. Re: EPO 4.0 Events are empty
                  JoeBidgood

                  Ah - this may be where the problem  is   I'm talking about the extensions, rather than the product package.  Extensions are what let ePO control a product and handle its events, whereas the package is what gets deployed out to the client machines.

                   

                  If you extract the package, you'll get the two extension zips. In ePO, if you go to configuration / extensions, you should be able to install them.  Once this is done, ePO should be able to handle events from VSE again.

                   

                  HTH -

                   

                  Joe