When you perform a CU update, an SIEM device is allowed to pull events from the ePO database until the CU update is complete.
If the SIEM device starts pulling events from the ePO database and the CU update gets triggered at the same time, this can cause a conflict with the existing active session of SIEM, causing the CU update to fail.
You might see failure of the CU update, due to the load of event pulling from the ePO database to SIEM. So, it's recommended to stop this connection before performing the CU update.
When it comes to SIEM, there are many vendors and each SIEM vendor uses different configurations for events collection. To overcome this situation, you can run the SQL script on ePO to check the active sessions, IP, and active user configured for SIEM from the ePO database.
Perform the steps below to run the new query:
- Log on to the SQL Server Management Studio.
- Expand Databases.
- Right-click the ePO core database and click New Query.
- Paste the script below into the query window and click Execute.
SELECT hostname, con.client_net_address, spr.loginame, count(1) as ConnectionCount
FROM sys.sysprocesses as spr INNER JOIN sys.dm_exec_connections as con on
con.session_id = spr.spid where spr.spid > 50 group by hostname,con.client_net_address,spr.loginame
Example Output
Host Name |
Client_net_address |
Login Name |
Connection Count |
RGCSQL |
<local Machine> |
ePOSA |
5 |
RGCSQL |
<local Machine> |
NT
AUTHORITY\SYSTEM |
15 |
RGCAH1 |
10.10.10.99 |
ePOSA |
10 |
RGCAH2 |
10.10.10.101 |
ePOSA |
5 |
RGCEPO |
10.10.10.98 |
admin |
1 |
RGCEPO
PRIMARY |
10.10.20.123 |
qradaruser |
10 |
NOTE: From the above output, you need to compare the ePO, database server, and
qradar to verify the existing active sessions on the ePO database from the SIEM tool.
Follow the instructions below to temporarily disable the account from the SQL Server until the CU update completes:
- Log on to the SQL Server Management Studio.
- Expand Security, Logins.
- Double-click or right-click User properties.
- In the left pane, go to the Status page.
- Under Login, select Disabled and click OK.
NOTE: By disabling the account, the active transactions are stopped. Once the CU is updated, you can perform the above steps and click
Enable to activate the account.