NetWitness Community

AnasBdeir · ‎2017-05-22

Hi,

suddenly epolicy orchestar stopped sending logs, after investigation connection available but there is (select permission dined). no changes have been set from netwitness side or Database side,

error logs as the following:

[1]

[epolicyvirus4_5.epolicy] [processing] [epolicy] [processing] Data query failed; dataQuery: /* BEGIN SQL QUERY FOR ANTI VIRUS EVENTS */ SELECT [EPOEvents].[AutoID], [EPOEvents].[ServerID], [EPOEvents].[ReceivedUTC], [EPOEvents].[DetectedUTC], [EPOEvents].[Analyzer], [EPOEvents].[AnalyzerName], [EPOEvents].[AnalyzerVersion], [EPOEvents].[AnalyzerHostName], [AnalyzerIPV4] = ( convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[AnalyzerIPV4] + 2147483648))),1,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[AnalyzerIPV4] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[AnalyzerIPV4] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[AnalyzerIPV4] + 2147483648))),4,1))) ), [EPOEvents].[AnalyzerDATVersion], [EPOEvents].[AnalyzerEngineVersion], [EPOEvents].[AnalyzerDetectionMethod], [EPOEvents].[SourceHostName], [SourceIPV4] = ( convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),1,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),4,1))) ), [EPOEvents].[TargetHostName], [TargetIPV4] = ( convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[TargetIPV4] + 2147483648))),1,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[TargetIPV4] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[TargetIPV4] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[TargetIPV4] + 2147483648))),4,1))) ), [EPOEvents].[TargetUserName], [EPOEvents].[TargetPort], [EPOEvents].[TargetProtocol], [EPOEvents].[TargetProcessName], [EPOEvents].[TargetFileName], [EPOEvents].[ThreatCategory], [EPOEvents].[ThreatEventID], [EPOEvents].[ThreatSeverity], [EPOEvents].[ThreatName], [EPOEvents].[ThreatType], [EPOEvents].[ThreatActionTaken], [EPOEvents].[ThreatHandled] FROM EPOEvents WHERE Analyzer LIKE '%VIRUS%' /* END SQL QUERY FOR ANTI VIRUS EVENTS */ /* BEGIN TRACKING CLAUSE FOR ANTI VIRUS EVENTS */ AND ReceivedUTC > '2017-05-04 05:28:54.153' ORDER BY ReceivedUTC ASC /* END TRACKING CLAUSE FOR ANTI VIRUS EVENTS */, exception Unable to execute statement: Statement: "/* BEGIN SQL QUERY FOR ANTI VIRUS EVENTS */ SELECT [EPOEvents].[AutoID], [EPOEvents].[ServerID], [EPOEvents].[ReceivedUTC], [EPOEvents].[DetectedUTC], [EPOEvents].[Analyzer], [EPOEvents].[AnalyzerName], [EPOEvents].[AnalyzerVersion], [EPOEvents].[AnalyzerHostName], [AnalyzerIPV4] = ( convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[AnalyzerIPV4] + 2147483648))),1,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[AnalyzerIPV4] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[AnalyzerIPV4] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[AnalyzerIPV4] + 2147483648))),4,1))) ), [EPOEvents].[AnalyzerDATVersion], [EPOEvents].[AnalyzerEngineVersion], [EPOEvents].[AnalyzerDetectionMethod], [EPOEvents].[SourceHostName], [SourceIPV4] = ( convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),1,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),4,1))) ), [EPOEvents].[TargetHostName], [TargetIPV4] = ( convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[TargetIPV4] + 2147483648))),1,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[TargetIPV4] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[TargetIPV4] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[TargetIPV4] + 2147483648))),4,1))) ), [EPOEvents].[TargetUserName], [EPOEvents].[TargetPort], [EPOEvents].[TargetProtocol], [EPOEvents].[TargetProcessName], [EPOEvents].[TargetFileName], [EPOEvents].[ThreatCategory], [EPOEvents].[ThreatEventID], [EPOEvents].[ThreatSeverity], [EPOEvents].[ThreatName], [EPOEvents].[ThreatType], [EPOEvents].[ThreatActionTaken], [EPOEvents].[ThreatHandled] FROM EPOEvents WHERE Analyzer LIKE '%VIRUS%' /* END SQL QUERY FOR ANTI VIRUS EVENTS */ /* BEGIN TRACKING CLAUSE FOR ANTI VIRUS EVENTS */ AND ReceivedUTC > '2017-05-04 05:28:54.153' ORDER BY ReceivedUTC ASC /* END TRACKING CLAUSE FOR ANTI VIRUS EVENTS */"; Reason: state: 51; error-code: 139732466008293; description: [RSA][ODBC 20101 driver][Microsoft SQL Server]The SELECT permission was denied on the object 'EPOEvents', database 'ePO4_RY1EPO01', schema 'dbo'.

[2]

[epolicyvirus4_5.epolicy] [processing] [epolicy] [processing] Error finding any new events. Reason: Unable to execute statement: Statement: "/* BEGIN SQL QUERY FOR ANTI VIRUS EVENTS */ SELECT [EPOEvents].[AutoID], [EPOEvents].[ServerID], [EPOEvents].[ReceivedUTC], [EPOEvents].[DetectedUTC], [EPOEvents].[Analyzer], [EPOEvents].[AnalyzerName], [EPOEvents].[AnalyzerVersion], [EPOEvents].[AnalyzerHostName], [AnalyzerIPV4] = ( convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[AnalyzerIPV4] + 2147483648))),1,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[AnalyzerIPV4] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[AnalyzerIPV4] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[AnalyzerIPV4] + 2147483648))),4,1))) ), [EPOEvents].[AnalyzerDATVersion], [EPOEvents].[AnalyzerEngineVersion], [EPOEvents].[AnalyzerDetectionMethod], [EPOEvents].[SourceHostName], [SourceIPV4] = ( convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),1,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),4,1))) ), [EPOEvents].[TargetHostName], [TargetIPV4] = ( convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[TargetIPV4] + 2147483648))),1,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[TargetIPV4] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[TargetIPV4] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[TargetIPV4] + 2147483648))),4,1))) ), [EPOEvents].[TargetUserName], [EPOEvents].[TargetPort], [EPOEvents].[TargetProtocol], [EPOEvents].[TargetProcessName], [EPOEvents].[TargetFileName], [EPOEvents].[ThreatCategory], [EPOEvents].[ThreatEventID], [EPOEvents].[ThreatSeverity], [EPOEvents].[ThreatName], [EPOEvents].[ThreatType], [EPOEvents].[ThreatActionTaken], [EPOEvents].[ThreatHandled] FROM EPOEvents WHERE Analyzer LIKE '%VIRUS%' /* END SQL QUERY FOR ANTI VIRUS EVENTS */ /* BEGIN TRACKING CLAUSE FOR ANTI VIRUS EVENTS */ AND ReceivedUTC > '2017-05-04 05:28:54.153' ORDER BY ReceivedUTC ASC /* END TRACKING CLAUSE FOR ANTI VIRUS EVENTS */"; Reason: state: 51; error-code: 139732466008293; description: [RSA][ODBC 20101 driver][Microsoft SQL Server]The SELECT permission was denied on the object 'EPOEvents', database 'ePO4_RY1EPO01', schema 'dbo'.

[3]

[epolicy4_5.epolicy] [processing] [epolicy] [processing] Error finding any new events. Reason: Unable to execute statement: Statement: "/* BEGIN SQL QUERY FOR AUDIT EVENTS */ SELECT [OrionAuditLog].[AutoId], [OrionAuditLog].[UserId], [OrionAuditLog].[UserName], [OrionAuditLog].[Priority], [OrionAuditLog].[CmdName], [OrionAuditLog].[Message], [OrionAuditLog].[Success], [OrionAuditLog].[StartTime], [OrionAuditLog].[EndTime] FROM [OrionAuditLog] /* END SQL QUERY FOR AUDIT EVENTS */ /* BEGIN TRACKING CLAUSE FOR AUDIT EVENTS */ WHERE StartTime> '2017-05-04 05:34:07.837' ORDER BY StartTime ASC /* END TRACKING CLAUSE FOR AUDIT EVENTS */"; Reason: state: 51; error-code: 139732466008293; description: [RSA][ODBC 20101 driver][Microsoft SQL Server]The SELECT permission was denied on the object 'OrionAuditLog', database 'ePO4_RY1EPO01', schema 'dbo'.

[4]

[epolicy4_5.epolicy] [processing] [epolicy] [processing] Data query failed; dataQuery: /* BEGIN SQL QUERY FOR AUDIT EVENTS */ SELECT [OrionAuditLog].[AutoId], [OrionAuditLog].[UserId], [OrionAuditLog].[UserName], [OrionAuditLog].[Priority], [OrionAuditLog].[CmdName], [OrionAuditLog].[Message], [OrionAuditLog].[Success], [OrionAuditLog].[StartTime], [OrionAuditLog].[EndTime] FROM [OrionAuditLog] /* END SQL QUERY FOR AUDIT EVENTS */ /* BEGIN TRACKING CLAUSE FOR AUDIT EVENTS */ WHERE StartTime> '2017-05-04 05:34:07.837' ORDER BY StartTime ASC /* END TRACKING CLAUSE FOR AUDIT EVENTS */, exception Unable to execute statement: Statement: "/* BEGIN SQL QUERY FOR AUDIT EVENTS */ SELECT [OrionAuditLog].[AutoId], [OrionAuditLog].[UserId], [OrionAuditLog].[UserName], [OrionAuditLog].[Priority], [OrionAuditLog].[CmdName], [OrionAuditLog].[Message], [OrionAuditLog].[Success], [OrionAuditLog].[StartTime], [OrionAuditLog].[EndTime] FROM [OrionAuditLog] /* END SQL QUERY FOR AUDIT EVENTS */ /* BEGIN TRACKING CLAUSE FOR AUDIT EVENTS */ WHERE StartTime> '2017-05-04 05:34:07.837' ORDER BY StartTime ASC /* END TRACKING CLAUSE FOR AUDIT EVENTS */"; Reason: state: 51; error-code: 139732466008293; description: [RSA][ODBC 20101 driver][Microsoft SQL Server]The SELECT permission was denied on the object 'OrionAuditLog', database 'ePO4_RY1EPO01', schema 'dbo'

SravanKoneti1 · ‎2017-05-22

Hi Anas,

This error seems to be due to database user permission. Can you please check below.

https://support.microsoft.com/en-us/help/963994/-2147217911---microsoft-odbc-sql-server-driver-sql-server-select-permiss…

SELECT permission was denied on Database object | The ASP.NET Forums

View solution in original post

SravanKoneti1 · ‎2017-05-22

Hi Anas,

This error seems to be due to database user permission. Can you please check below.

https://support.microsoft.com/en-us/help/963994/-2147217911---microsoft-odbc-sql-server-driver-sql-server-select-permiss…

SELECT permission was denied on Database object | The ASP.NET Forums

AnasBdeir · ‎2017-05-22

thanks Sarvan, it is working now, by grant read permission.

NetWitness Community

epolicy error select permission denied