DLP events aren't parsing or the SQL service is crashing with a stack dump in the SQL error logs
Last Modified: 2023-05-31 11:07:19 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
DLP events aren't parsing or the SQL service is crashing with a stack dump in the SQL error logs
Technical Articles ID:
KB92600
Last Modified: 2023-05-31 11:07:19 Etc/GMT Environment
Data Loss Prevention Endpoint (DLP Endpoint) 11.x ePolicy Orchestrator (ePO) 5.x Problem 1
You see an error similar to the following in the SQL error log: spid174 Unable to find index entry in index ID 1, of table 174115861, in database '<database name>'. The indicated index is corrupt or there is a problem with the current update plan. Run DBCC CHECKDB or DBCC CHECKTABLE. If the problem persists, contact product support. spid146 **Dump thread - spid = 0, EC = 0x0000022076B0B810 spid146 ***Stack Dump being sent to D:\MSSQL\Program Files\Microsoft SQL Server\MSSQL13.MSSQLSERVER\MSSQL\LOG\SQLDump1056.txt spid146 * ******************************************************************************* spid146 * spid146 * BEGIN STACK DUMP: spid146 * 06/16/21 14:54:55 spid 146 spid146 * spid146 * CPerIndexMetaQS::ErrorAbort - Index corruption spid146 * spid146 * Input Buffer 170 bytes - spid146 * 16 00 00 00 12 00 00 00 02 00 00 00 00 00 00 00 00 00 spid146 * U D L P _ C 01 00 00 00 1f 00 55 00 44 00 4c 00 50 00 5f 00 43 00 spid146 * l e a n C o m p u 6c 00 65 00 61 00 6e 00 43 00 6f 00 6d 00 70 00 75 00 spid146 * t e r P r o p e r 74 00 65 00 72 00 50 00 72 00 6f 00 70 00 65 00 72 00 spid146 * t i e s _ S P @ 74 00 69 00 65 00 73 00 5f 00 53 00 50 00 00 00 10 40 spid146 * m c A f e e A g e 00 6d 00 63 00 41 00 66 00 65 00 65 00 41 00 67 00 65 spid146 * n t G u i d $ ¢ 00 6e 00 74 00 47 00 75 00 69 00 64 00 00 24 10 10 a2 spid146 * ܵD|ë < @ 95 dc b5 44 7c eb 11 3c 12 00 00 00 00 00 00 0c 40 00 spid146 * c o m p u t e r _ 63 00 6f 00 6d 00 70 00 75 00 74 00 65 00 72 00 5f 00 spid146 * id & 69 00 64 00 01 26 04 00 Problem 2The "Event Parser" in ePO is unable to parse the DLP events and moves them to the "Debug" folder as seen below:
Cause
This issue is caused with a DLP-stored procedure named This statement causes a delete action on the data that's read with a ' Solution
To resolve the issue, perform the following steps:
Attachment 1Attachment 2Affected ProductsLanguages:This article is available in the following languages: |
|