8 Replies Latest reply on Nov 29, 2011 4:06 AM by gerhard.kaupa

    ePO 4.6 unable to process events

    metalhead

      Hi all,

       

      we have one ePO 4.6 server were regularly events are moved to the <epo install dir>\DB\Events\Debug folder.

      According to McAfee these are events which cannot be processed by epo.

       

      But after copying these events manually back to the EVENTS folder the events are processed correctly ...

       

      Here are the EVENTPARSER.LOG entries of a view events with the corresponding error:

       

      1. Event:

       

      20111004131534    E    #02504    VseBll      DAL->ExecQuery failed. hr=80040e31

      20111004131534    E    #02504    EVNTPRSR    server_ProcessXMLFile: COM Error 0x80004005

      20111004131534    E    #02504    EVNTPRSR    server_ProcessXMLFile: Failed to process file C:\PROGRA~1\McAfee\EPOLIC~1\DB\Events\7d649907-3593-4074-9ca0-509360939fd1-2011 1004075748443084200000890.xml

       

      2. Event:

       

      20111004131535    E    #02536    VseBll      DAL->ExecQuery failed. hr=80040e31

      20111004131535    E    #02536    EVNTPRSR    server_ProcessXMLFile: COM Error 0x80004005

      20111004131535    E    #02536    EVNTPRSR    server_ProcessXMLFile: Failed to process file C:\PROGRA~1\McAfee\EPOLIC~1\DB\Events\8e14c4ce-a734-4bb3-b9e7-a0b8e3ed2c70-2011 1004073026849391500000824.xml

       

      3. Event:

       

      FAILED

      20111004131426    E    #02528    VseBll      DAL->ExecQuery failed. hr=80040e31

      20111004131426    E    #02528    EVNTPRSR    server_ProcessXMLFile: COM Error 0x80004005

      20111004131426    E    #02528    EVNTPRSR    server_ProcessXMLFile: Failed to process file C:\PROGRA~1\McAfee\EPOLIC~1\DB\Events\5442e0d1-ce6e-4247-ae31-d068bc87673f-2011 1004073545960545800000854.xml

       

      PROCESSED

      20111004140430    I    #02500    EVNTPRSR    Succeeded <BehaviourBlockEvent>, C:\PROGRA~1\McAfee\EPOLIC~1\DB\Events\5442e0d1-ce6e-4247-ae31-d068bc87673f-2011 1004073545960545800000854.xml, IEPOEventHandler

       

       

       

      Has anybody seen this error ? I could not find anything on the McAfee KB ...

       

      Thanks and Regards

      Tom

        • 1. Re: ePO 4.6 unable to process events
          JoeBidgood

          If you put the ePO server into log level 8 and restart the services, then check the eventparser log again, do you get more detail? There's a few possibilities here...

           

          HTH -

           

          Joe

          • 2. Re: ePO 4.6 unable to process events
            metalhead

            Hi Joe,

             

            no loglevel 8 does not give more information - just the same.

             

            -- edit --

            But it seems like the whole EVENTPARSER.LOG has no "X" events - I will try rerunning it with loglevel 8.

            --------

             

            Tom

             

            Nachricht geändert durch metalhead on 05.10.11 11:47:32 MESZ
            • 3. Re: ePO 4.6 unable to process events
              metalhead

              What we have already evaluated is the following:

               


              20110920202207    E    #02536    SCOR        SCORDatabaseUtils.cpp: 124: DB Transaction COM Error : 0x80040e31 # ErrMsg : IDispatch error #3121 # ErrDesc : Timeout expired
              20110920202207    E    #02536    SCOR        SCOREventParser.cpp: 92: Error occurred while persisting event to EPOEvent table. Check that the db is up and running, err:-2147467259
              20110920202207    E    #02536    SCOR        SCOREventParser.cpp: 586: Error[80004005] found. See previous logs for details.
              20110920202207    W    #02536    SCOR        SCOREventParser.cpp: 431: Event will be re-read next time
              20110920202207    W    #02536    SCOR        SCOREventParserPlugin.cpp: 150: Non-Success HResult : 0x80004005

              The EPOAPSvr.log shows:

              20110920193708    I    #05568    SITEMGR     Database Shutdown: Starting.
              20110920193708    I    #05568    SITEMGR     Database Shutdown: Succeeded.

               

              But in the Windows Event log there is no machine/service shutdown mentioned.

               

              Also I do not really know if this is related to the problem ...

               

               

              Thanks Tom

              • 4. Re: ePO 4.6 unable to process events
                JoeBidgood
                The EPOAPSvr.log shows:


                20110920193708    I    #05568    SITEMGR     Database Shutdown: Starting.
                20110920193708    I    #05568    SITEMGR     Database Shutdown: Succeeded.

                 

                But in the Windows Event log there is no machine/service shutdown mentioned.

                 

                Also I do not really know if this is related to the problem ...

                 

                 

                Okay, these can be ignored - from the I in the second column we can see that these are Informational messages. They don't refer to an actual service stopping so you won't see anything anywhere else relating to this.

                 

                 


                20110920202207    E    #02536    SCOR        SCORDatabaseUtils.cpp: 124: DB Transaction COM Error : 0x80040e31 # ErrMsg : IDispatch error #3121 # ErrDesc : Timeout expired
                20110920202207    E    #02536    SCOR        SCOREventParser.cpp: 92: Error occurred while persisting event to EPOEvent table. Check that the db is up and running, err:-2147467259
                20110920202207    E    #02536    SCOR        SCOREventParser.cpp: 586: Error[80004005] found. See previous logs for details.
                20110920202207    W    #02536    SCOR        SCOREventParser.cpp: 431: Event will be re-read next time
                20110920202207    W    #02536    SCOR        SCOREventParserPlugin.cpp: 150: Non-Success HResult : 0x80004005

                 

                This is the interesting bit - looks like there is an SQL-related problem. Possibly deadlocks, possibly resource issues - I'm just guessing here.  I would suggest investigating the SQL server logs for anything relevant, and if necessary leave a profiler trace running against the ePO db to see if any SQL errors are trapped.

                 

                HTH -

                 

                Joe

                • 5. Re: ePO 4.6 unable to process events
                  metalhead

                  Do you have any recommendations what should be traced/activated in the SQL Profiler´s trace ?

                   

                  Thanks Tom

                  • 6. Re: ePO 4.6 unable to process events
                    JoeBidgood

                    I would certainly guess deadlocks, and you're looking for insert statements to the ePOEvents table that are failing - that would be a starting point.

                     

                    HTH -

                     

                    Joe

                    • 7. Re: ePO 4.6 unable to process events
                      metalhead

                      Thanks for the fast response

                       

                      I will give you a feedback after running the trace ...

                       

                      Cheers Tom

                      • 8. Re: ePO 4.6 unable to process events

                        Hello,

                        this is my first time in this community and i have the same problem like this.

                        Exists there any solution about this problem?

                        Greetings

                        Gerd