This content has been marked as final. Show 12 replies
Is the event parser service running correctly to parse the uploaded events? try restarting it.
see here on some info on how the events are processed and why the pkg files are uploaded to this location. https://knowledge.mcafee.com/SupportSite/search.do?cmd=displayKC&docType=kc&exte rnalId=5960861&sliceId=SAL_Public&dialogID=41856088&stateId=1 0 41854046 0 41854046
depending on what these events refer to you may want to set up some additional event filtering on the server, this policy trickles down to the agents and reduces the events being passed to the server.
Thanks for the reply. It turns out that VirusScan 8.5i on-access scanning was preventing the event parser from deleting the .pkg file. once I created an exception the files started to decrease immediately. The weird thing is this just became an issue. Nothing has changed on the VS side for a year aside from updates and .dat files.
I've got the same issue. Going to try your fix. Will let you know if that fixes it for me as well.
Did it work? I also prevented the virus software from scanning the Events directory.
I don't believe it was the cause in my case. Though, I am not sure that I did exactly what you did in your exclusions. I excluded EventParser.exe in the Access Protection policy to the three that affect McAfee files and settings under Common Standard Protection. I also excluded the 3.6.1 folder and all subdirectories from on-access scanning.
At this time, here is my best theory as to what is going on:
I have noticed decreased performance from my ePO server that correalates to when I started the deployment of 8.5i. I have approximately 55K+ client machines. Couple that with the fact that I had the CMA policy to upload events immediately with a "Major" severity. I have just cut that down to "Critical" events. I believe I am just overloading the EventParser and sqlserver services and it took it this long to fill up my drive with the PKG files (I had over 2 million files in the Events directory. I called platinum support and he had me rename the old Events directory and create a new one (restarted the ePO services) so that we could verify that events were coming in, getting processed, and then being deleted (which they were).
I am still trying to sift through my documentation to see what has changed between 8.0i and 8.5i in the event severity ratings. I never had issues like this when the clients were running 8.0i.
I still need to talk with Platinum support and if any type of new epiphany happens that changes my opinion of what is happening, I will post another message about it.
i need help:
i have the same problem, this folder C:\Program Files\McAfee\ePO\3.6.1\DB\Events is getting fill up with PKG file and the eventpaser.ese process are get higher which it slow my server. also, mcshield is scan this folder and also slowing the server down...
can you explain in step what should i do to exclude folder in Antivirus and Access protection..
also if you can tell me how to limit the event to critical only..
I'm sorry. We have upgraded to ePO 4.0 and AV 8.7. I don't think it's an issue anymore. Anyway, I believe you just have to create a policy for your ePO server for ON-Access Scanning. I'm not sure if it's in general or default but you need to exclude eventparser.exe from being scanned by script scans and on access scanning. I hope this helps.
i have already uninstall McAfee antivirus enterprise 8.5i from the server then restart it but still the eventpaser.exe process is really high..
any help, i can upload some log if you need..
i use patch 6.1 with the antivirus should i upgrade to patch 8?
Post your logs and I'll try and take a look. Since you have removed AV is C:\Program Files\McAfee\ePO\3.6.1\DB\Events decreasing in size?