Duplicate events in the database

Versions / Builds Affected

EndPointSecurity 2012 build 20120104

Status

Open

Problem Summary

The same event is inserted in the database multiple times. Closing and opening the console again causes more of the same events to be inserted in the database.

TT / JIRAID

34

How to Identify

The issue is caused when the service is not able to insert the events into the database, but the user running the console is able to connect to the SQL Server. In logesecservice.csv you will find errors similar to: 2012-04-23, 15:20:45, 395, 2, 40c, 308, information, opdboperations, DbOperationsPlugin, AgentLogsThread, Count agentlogs = 1 2012-04-23, 15:20:45, 395, 2, 40c, 308, information, opdboperations, DatabaseManager, InsertAgentLogs, Dmanager insert logs 2012-04-23, 15:20:45, 395, 2, 40c, 308, information, opdboperations, DatabaseManager, InsertAgentLogs, Updating sql connection data from xml... 2012-04-23, 15:20:45, 401, 0, 40c, 308, error, opdboperations, DatabaseManager, InsertAgentLogs, Unable to open sql server connection: Login failed for user domain\gfieps'. When the service fails to insert events in the database, the events are kept in a cache and are inserted in the database when the UI is opened. A bug in the caching mechanism causes the same events to be inserted in the database every time the UI is opened.

Workaround / Fix Details

- If using Windows Authentication, configure the GFI EndPointSecurity service with a user that is able to update the database - If using SQL Server authentication, configure a user that is able to update the EndPointSecurity database in Configuration -> Options -> Database Backend

Required Actions

1. Provide workaround to the customer and close case if it works 2. Attach this article to the case