所有 ePO 事件都未能解析,最终都卡在
Events文件夹。
EventParser.log记录错误:
E#08888 EPOEVENTS epoevents_dao.cpp (776): COM 错误0x80040E31、 source=Microsoft OLE DB 提供程序 (用于托管SQL Server,desc=查询超时已到期,msg=IDispatch 错误#3121
E#08888 EPOEVENTS epoevents.cpp (50): COM 错误0x80040E31、 source=Microsoft OLE DB 提供程序 (用于托管SQL Server,desc=查询超时已到期,msg=IDispatch 错误#3121
在您查看
SQL Activity Monitor在 SQL Server Management Studio 中,您可能会发现一个类似于以下查询的查询。 该查询会显示其正在阻止许多其他查询,包括插入事件查询:
select count(*) as 'count' datepart( YEAR dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] ) ) as 'EPOEvents.DetectedUTC.year' datediff(week dateadd(year datediff(year 0 dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] )) 0) dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] )) + 1 + case when datepart(weekday dateadd(year datediff(year 0 dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] )) 0) + @@datefirst - 7) - 1 < 7 and datepart(weekday dateadd(day @@datefirst - 7 dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] ))) - 1 >= 7 then 1 when datepart(weekday dateadd(year datediff(year 0 dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] )) 0) + @@datefirst - 7) - 1 >= 7 and datepart(weekday dateadd(day @@datefirst - 7 dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] ))) - 1 < 7 then -1 else 0 end as 'EPOEvents.DetectedUTC.week' datepart( YEAR dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] ) ) as 'EPOEvents.DetectedUTC.year' datediff(week dateadd(year datediff(year 0 dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] )) 0) dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] )) + 1 + case when datepart(weekday dateadd(year datediff(year 0 dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] )) 0) + @@datefirst - 7) - 1 < 7 and datepart(weekday dateadd(day @@datefirst - 7 dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] ))) - 1 >= 7 then 1 when datepart(weekday dateadd(year datediff(year 0 dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] )) 0) + @@datefirst - 7) - 1 >= 7 and datepart(weekday dateadd(day @@datefirst - 7 dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] ))) - 1 < 7 then -1 else 0 end as 'EPOEvents.DetectedUTC.week' from [EPOEvents] where ( ( [EPOEvents].[Analyzer] is null or ( [EPOEvents].[Analyzer] <> N'DATALOSS2000' )) and ( ( [EPOEvents].[Analyzer] is null or ( [EPOEvents].[Analyzer] <> N'DATALOSS2000' )) and ( ( [EPOEvents].[Analyzer] is null or ( [EPOEvents].[Analyzer] <> N'DATALOSS2000' )) and ( ( [EPOEvents].[Analyzer] is null or ( [EPOEvents].[Analyzer] <> N'DATALOSS2000' )) and ( ( [EPOEvents].[Analyzer] is null or ( [EPOEvents].[Analyzer] <> N'DATALOSS2000' )) and ( ( [EPOEvents].[Analyzer] is null or ( [EPOEvents].[Analyzer] <> N'DATALOSS2000' )) and ( EPOEvents.AgentGUID IN ( SELECT lnd.AgentGUID FROM EPOLeafNode lnd inner join EPOBranchNode bnd on bnd.AutoID = lnd.ParentID inner join EPONodePermissions npr on npr.NodeID = bnd.AutoID WHERE lnd.AgentGUID IS NOT NULL and npr.GroupID in (5 6) ) and ( [EPOEvents].[ThreatCategory] LIKE 'av%' and ( [EPOEvents].[DetectedUTC] between '2015-07-23T20:10:16.288' and '2015-10-22T20:10:16.288' ) ) ) ) ) ) ) ) ) group by datepart( YEAR dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] ) ) datediff(week dateadd(year datediff(year 0 dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] )) 0) dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] )) + 1 + case when datepart(weekday dateadd(year datediff(year 0 dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] )) 0) + @@datefirst - 7) - 1 < 7 and datepart(weekday dateadd(day @@datefirst - 7 dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] ))) - 1 >= 7 then 1 when datepart(weekday dateadd(year datediff(year 0 dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] )) 0) + @@datefirst - 7) - 1 >= 7 and datepart(weekday dateadd(day @@datefirst - 7 dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] ))) - 1 < 7 then -1 else 0 end order by datepart( YEAR dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] ) ) asc datediff(week dateadd(year datediff(year 0 dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] )) 0) dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] )) + 1 + case when datepart(weekday dateadd(year datediff(year 0 dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] )) 0) + @@datefirst - 7) - 1 < 7 and datepart(weekday dateadd(day @@datefirst - 7 dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] ))) - 1 >= 7 then 1 when datepart(weekday dateadd(year datediff(year 0 dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] )) 0) + @@datefirst - 7) - 1 >= 7 and datepart(weekday dateadd(day @@datefirst - 7 dateadd( MILLISECOND -18000000 [EPOEvents].[DetectedUTC] ))) - 1 < 7 then -1 else 0 end asc