CSMS: The Local Event Parser service is not running


Symptom(s)

Receiving the error: "The Local Event Parser service is not running"

Problem 1

When you access the dashboards in the ePO console, the following message displays:
 
An unexpected error occurred
You observe the following:

  • The Event Parser service is not running and can't be started.
  •  No passwords have changed for database authentication.

When you go to https://localhost:8443/core/config to confirm database credentials, you observe the following:

  • The test connection succeeds, but the Event Parser service still fails to start and shows the same error.

 

Problem 2

The Eventparser_servername.log records the following error when the Event Parser service fails to start:

E #11836 EPODAL ePOData_Connection.cpp(373): COM Error 0x80004005, source=Microsoft SQL Server Native Client 11.0, desc=TCP Provider: No connection could be made because the target machine actively refused it.
E ;#11836 EPODAL msg=Unspecified error
E ;#11836 EPODAL ePOData_Connection.cpp(398): Error 0x80004005 returned from credentials callback. Database NOT available
E #11836 EVNTPRSR D:\BUILD_852722\BUILD\ePO\dev\src\server\include\ePOData.inl(461): Database initialization: Failed (hr=0x80004005).
E #11836 EVNTPRSR source\servinit.cpp(163): Failed to initialize database layer. Cannot continue.
I #11836 EVNTPRSR EventParser Stopped.

The Orion log records an error similar to the following:

WARN [main] jni.LoadJniInitTask - Unable to load native library:C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\extensions\installed\EPOCore\5.9.1.251\webapp/WEB-INF/lib/epojni java.lang.UnsatisfiedLinkError Orion_OnLoad returned an error.

Issue

The SQL Server is using Dynamic TCP/IP ports instead of Static. After a system restart, dynamic ports can change.

 

Environment

Astro
Trellix
CSMS
McAfee

 

Resolution

Solution 1

Step 1 - Identify if the port is dynamic.

  1. Open SQL Configuration Manager.
  2. Identify if the port is dynamic:
    1. Navigate to SQL Server Network Configuration, protocols.
    2. Locate your SQL instance name, and then double-click TCP/IP.
    3. Click the IP addresses tab, and then scroll to the bottom. The IPALL section shows you the actual port being used, and whether it's dynamic or not. ​

Step 2 - Change the dynamic port for the SQL instance name if it's set to dynamic.

  1. Go to http://localhost:8443/core/config.
  2. Remove the port from this page, and enter the correct SQL instance name.
  3. Click Test. If the test passes, apply the changes.
  4. Restart the ePO services:
    1. Press Windows+R.
    2. Type services.msc into the field and press Enter.
    3. Right-click each of the following ePO services and select Restart:

      McAfee ePolicy Orchestrator #.#.# Application Server
      McAfee ePolicy Orchestrator #.#.# Event Parser
      McAfee ePolicy Orchestrator #.#.# Server

    4. Close the services window.

Solution 2

Configure SQL to use a Static port instead of Dynamic.