1 Reply Latest reply on Sep 22, 2016 6:53 PM by santichm

    Splunk query for db_connect expects EPOProdPropView_VIRUSCAN

    santichm

      Hello,

      Our current version of McAfee ePO 4.6.5 is at End-of-Support
      and we need to upgrade to version 5.X.  - and have created a test environment with ePO version 5.3.2

       

      we use splunk_app_db_connect v2 version 2.1.3
      which was correctly connecting to and querying ePO 4.6.5 (using the default query from Splunk TA for
      McAfee

       

      after updating to ePO 5.3.2 in our test environment, I
      replaced the stanza in inputs.conf with the default query for ePO 5 from
      splunk TA for McAfee template.

       

      ePO is running on Windows 2008R2

       

      splunk is connecting to the database correctly (using the sa account), but when the
      query runs there is an error in the dbx2.log:

       

      [ERROR] [ws.py] [DBInput Service] Esception encountered from
      server on message for entity-name = mi_input://ta_mcafee_epo_5_input and type =
      input with error = ERROR: com.microsoft.sqlserver.jdbc.SQLServer Exception: A
      processing error "Invalid object name 'EPOProdPropsView_VIRUSCAN'."
      occurred...

       

      indeed if I look at the ePO database (using MSSQL server management studio as an admin user) , I see
      EPOProdPropsView_EPOAGENT,
      EPOProdPropsView_LSH,
      EPOProdPropsView_PCR,
      EPOProdPropsView_TELEMETRY,

       

      but no
      EPOProdPropsView_VIRUSCAN.

       

      In my test environment I have a single Linux Client (RHEL 5.7) with VSEForLinux 1.9.0 and agent 4.8.0 (all pushed via ePO).  I have successfully configured an on-demand scan via ePO and placed the EICAR test virus on the Linux client....the virus was quarantined and reported as such in the ePO GUI. - so ePO and Linux-related packages and extensions appear to be working correctly

       

      Am I missing some step in the installation that would otherwise have created the view in question?

       

      Thanks so much for any help

       

      msantich.