Event Parser Management and Behavior

Event Parser SQL Connection

The connection between the Event Parser and the Database is established using the MS OLE DB SQL Database Driver.

  • The connection is secured using Windows Authentication.
  • The Event Parser runs as a Windows service using user credentials that have access to insert data to the Endpoint Privilege Management Reporting database.
  • The connection is established when the first event is processed, and remains open thereafter. If the connection breaks while executing commands, the parser tries to recreate the connection. Data will not be lost due to an occasional loss of connection.

Data Transmission

The Event Parser service processes audit events in the shortest time possible, using a batching approach.

The number of events processed in each batch is not configurable in the current release.

The Event Parser subscribes to the event log and is notified of new events.

When the Event Parser is notified new data is available, all events available are processed in batches of 100.

Audit data is inserted to the Endpoint Privilege Management Reporting database using bulk SQL insert to optimize performance.

The Endpoint Privilege Management Reporting SQL database is designed to eliminate duplicate audit data, so there is no need to roll back partial failures; transactional inserts are not used.

If the data insert fails, the Event Parser continues to retry; it does not skip over events.

For example, if the Event Parser Service’s account password expires, the Event Parser fails to establish or reconnect to the database and gets stuck, retrying the same insert until the condition is rectified. This is by design, to ensure no data is lost.

If the failure persists for an extended period, the Windows Event Log may begin to roll over, causing the oldest audit events to be removed. Be sure to maximize the event log size, and monitor growth rate to ensure audit data is retained as long as necessary.

Monitor and Recovery

To diagnose failures in the Event Parser service look in the Windows Application event log on the Windows Event Collector host.

The Event Parser service raises events if errors occur, such as failure to connect to the database. These events typically contain information required to diagnose the problem. If this is insufficient, debug logging can be enabled. The debugging logs are designed for advanced diagnostics by BeyondTrust staff.

Please open a support case.

Reprocess Data

If data needs to be reprocessed (for example, the database is deleted and recreated), the Event Parser can reparse the entire event log. This is always safe to do, as the database is fully resilient to duplicate data being added; duplicate data is discarded.

Be aware that reprocessing all the events creates a lot of database activity in a short period of time. It is best to plan this during periods of low activity in your environment.

To do this:

  1. Stop the Endpoint Privilege Management Event Parser service.
  2. Delete the registry key:
    HKEY_USERS\<Event Parser User SID>\Software\Avecto\Privilege Guard Event Parser\
  3. Start the Endpoint Privilege Management Event Parser service.