4 Replies Latest reply on Nov 8, 2013 7:59 AM by joeleisenlipz

    No threat events...

    sushi78

      Since 9/30/2013, ePO doesn't show any Virusscan Threat events anymore.

      Ik know we had an expired license key around that time. I updated the key and everything works great but no events...

       

      I tested the clients and they gave no connection errors to the server.

      I updated the clients from 4.6 to 4.8. Working as a charm but still no threat events.

      I did all Windows Updates but no effect.

      I updated ePO from 4.6.4 to 4.6.6. Everything went like a charm but still no events...

       

      The events from Exchange are working.

       

      The clients get their DAT updates and are reporting their info back to the ePO server.

       

      Deployment of agents and virusscanner (8.8 P2/3) are working great.

       

       

      Does anyone has any idea where to look to resolve this problem?

        • 1. Re: No threat events...
          joeleisenlipz

          I might start be ensuring that they are being sent succecssfully. Use the EICAR test string to verify your workstation can generate an event (look for the XML file). Then watch that folder when you use the "Send Events" function of the Agent's Status Monitor. If the XML file is generated and disappears (gets uploaded), then you can likely rule out any client-side problems.

           

           

          Then, I would take a look at the Events folders on each Agent Handler and the ePO server. You should see files cycling through as they are processed. I would probably also check the Event Parser services on any/all Agent Handlers and the ePO server itself. Restart then, just for giggles.

           

          Lastly, review anything related to the database. Maybe the table is full or the data file isn't set to grow. I suppose there could also be problems with purging tasks or the Event Filtering configuration that would limit this data.

           

          Take a stab at a few of these and let us know what you find!

           

          --Joel

          • 2. Re: No threat events...
            sushi78

            I tested sending an event as you described. Works like a charm.

             

            The only Agent Handler we have is the server itself. I looked at the folder. The events in that folder are processed but when I take al look at the DEBUG folder, there are 24.000+ events! So I found them! Now I have to find a way to let ePO process them.

            With a quick internet search I found the following remark: "Events with an outdated or not installed Reports Extension will store the not parsed Event in DB\Events\DEBUG."

            So I have to find out what is wrong with the reports extension... Or are the other possibilities for this behavour?

             

            Message was edited by: sushi78 on 11/8/13 1:53:31 AM CST
            • 3. Re: No threat events...
              sushi78

              In turns out the Reports Extension was missing....

               

              And its clear why...

              I removed VSE 8.7 from the Software manager. That, apparantly, uninstalls the Reports Extension from VSE 8.8.

              I checked in VSE8.8 Reports Extension again and now I'm also the owner of Reports Extension VSE 8.7 again?!?!?! Strange?

               

              I processed the events now. Turns out there were some very old Exchange events waiting in the debug folder.

               

              Thanks alot!!

               

              Message was edited by: sushi78 on 11/8/13 2:19:08 AM CST

               

              Message was edited by: sushi78 on 11/8/13 4:44:51 AM CST
              • 4. Re: No threat events...
                joeleisenlipz

                Anything that the parser has trouble dealing with will land in that DEBUG folder. You can try to move them from their, back into the parent folder maybe a thousand at a time. If there is still a parsing problem, they will land in the debug again.

                 

                Hopefully, this will get you all (or at least most) of your missing data.

                 

                --Joel