Tutti gli eventi ePO non vengono analizzati e alla fine vengono bloccati nella
Events cartella.
Errori di
EventParser.log registrazione:
E #08888 EPOEVENTS epoevents_dao.cpp(776): COM Error 0x80040E31, source=Microsoft OLE DB Provider for SQL Server, desc=Query timeout expired, msg=IDispatch error #3121
E #08888 EPOEVENTS epoevents.cpp(50): COM Error 0x80040E31, source=Microsoft OLE DB Provider for SQL Server, desc=Query timeout expired, msg=IDispatch error #3121
Quando si Visualizza il
Monitoraggio attività SQL in SQL Server Management Studio, è possibile che venga trovato un query simile a quello riportato di seguito. Il query mostra che sta bloccando molte altre query, incluse le query di inserimento degli eventi:
select count(*) as 'count' datepart( YEAR dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] ) ) as 'EPOEvents.DetectedUTC.year' datediff(week dateadd(year datediff(year 0 dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] )) 0) dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] )) + 1 + case when datepart(weekday dateadd(year datediff(year 0 dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] )) 0) + @@datefirst - 7) - 1 < 7 and datepart(weekday dateadd(day @@datefirst - 7 dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] ))) - 1 >= 7 then 1 when datepart(weekday dateadd(year datediff(year 0 dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] )) 0) + @@datefirst - 7) - 1 >= 7 and datepart(weekday dateadd(day @@datefirst - 7 dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] ))) - 1 < 7 then -1 else 0 end as 'EPOEvents.DetectedUTC.week' datepart( YEAR dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] ) ) as 'EPOEvents.DetectedUTC.year' datediff(week dateadd(year datediff(year 0 dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] )) 0) dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] )) + 1 + case when datepart(weekday dateadd(year datediff(year 0 dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] )) 0) + @@datefirst - 7) - 1 < 7 and datepart(weekday dateadd(day @@datefirst - 7 dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] ))) - 1 >= 7 then 1 when datepart(weekday dateadd(year datediff(year 0 dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] )) 0) + @@datefirst - 7) - 1 >= 7 and datepart(weekday dateadd(day @@datefirst - 7 dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] ))) - 1 < 7 then -1 else 0 end as 'EPOEvents.DetectedUTC.week' from [EPOEvents] where ( ( [EPOEvents].[Analyzer] is null or ( [EPOEvents].[Analyzer] <> N'DATALOSS2000' )) and ( ( [EPOEvents].[Analyzer] is null or ( [EPOEvents].[Analyzer] <> N'DATALOSS2000' )) and ( ( [EPOEvents].[Analyzer] is null or ( [EPOEvents].[Analyzer] <> N'DATALOSS2000' )) and ( ( [EPOEvents].[Analyzer] is null or ( [EPOEvents].[Analyzer] <> N'DATALOSS2000' )) and ( ( [EPOEvents].[Analyzer] is null or ( [EPOEvents].[Analyzer] <> N'DATALOSS2000' )) and ( ( [EPOEvents].[Analyzer] is null or ( [EPOEvents].[Analyzer] <> N'DATALOSS2000' )) and ( EPOEvents.AgentGUID IN ( SELECT lnd.AgentGUID FROM EPOLeafNode lnd inner join EPOBranchNode bnd on bnd.AutoID = lnd.ParentID inner join EPONodePermissions npr on npr.NodeID = bnd.AutoID WHERE lnd.AgentGUID IS NOT NULL and npr.GroupID in (5 6) ) and ( [EPOEvents].[ThreatCategory] LIKE 'av%' and ( [EPOEvents].[DetectedUTC] between '2015-07-23T20:10:16.288' and '2015-10-22T20:10:16.288' ) ) ) ) ) ) ) ) ) group by datepart( YEAR dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] ) ) datediff(week dateadd(year datediff(year 0 dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] )) 0) dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] )) + 1 + case when datepart(weekday dateadd(year datediff(year 0 dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] )) 0) + @@datefirst - 7) - 1 < 7 and datepart(weekday dateadd(day @@datefirst - 7 dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] ))) - 1 >= 7 then 1 when datepart(weekday dateadd(year datediff(year 0 dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] )) 0) + @@datefirst - 7) - 1 >= 7 and datepart(weekday dateadd(day @@datefirst - 7 dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] ))) - 1 < 7 then -1 else 0 end order by datepart( YEAR dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] ) ) asc datediff(week dateadd(year datediff(year 0 dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] )) 0) dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] )) + 1 + case when datepart(weekday dateadd(year datediff(year 0 dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] )) 0) + @@datefirst - 7) - 1 < 7 and datepart(weekday dateadd(day @@datefirst - 7 dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] ))) - 1 >= 7 then 1 when datepart(weekday dateadd(year datediff(year 0 dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] )) 0) + @@datefirst - 7) - 1 >= 7 and datepart(weekday dateadd(day @@datefirst - 7 dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] ))) - 1 < 7 then -1 else 0 end asc