Improve querying of Extended Events target file

As part of our server estate monitoring, I am adding extended events to pick up warnings, blocking etc and I’d like to periodically (Every couple of minutes) query the event file to collect the data. I have been using the below to query data using xQuery, but it seems to be quite slow. I am aware of using a fileoffset as an option to optimise, but beyond that, are there any ways in which I can better improve predicates as been below?

    SELECT           event_data         ,n.value('@timestamp', 'DATETIME2') DtTimeStamp         ,n.value('(action[@name="collect_cpu_cycle_time"]/value)[1]', 'bigINT') CollectCpuCycleTime         ,n.value('(action[@name="collect_system_time"]/value)[1]', 'DATETIME2') CollectSystemTime         ,n.value('(action[@name="last_error"]/value)[1]', 'varchar(255)') LastError         ,n.value('(action[@name="collect_system_time"]/value)[1]', 'datetime2')             CollectSystemTime         ,n.value('(action[@name="task_time"]/value)[1]', 'bigint')                          TaskTime         ,n.value('(action[@name="client_app_name"]/value)[1]', 'varchar(255)')              ClientAppName         ,n.value('(action[@name="client_hostname"]/value)[1]', 'varchar(255)')              ClientHostName         ,n.value('(action[@name="database_name"]/value)[1]', 'varchar(255)')                DatabaseName         ,n.value('(action[@name="nt_username"]/value)[1]', 'varchar(255)')                  NtUserName         ,n.value('(action[@name="server_instance_name"]/value)[1]', 'varchar(255)')         InstanceName         ,n.value('(action[@name="session_id"]/value)[1]', 'INT')                            SessionID         ,n.value('(action[@name="client_pid"]/value)[1]', 'INT')                            ClientPID         ,n.value('(action[@name="sql_text"]/value)[1]', 'VARCHAR(MAX)')                         SQLText     FROM          (             SELECT                  CAST(event_data as XML) event_data             FROM                  sys.fn_xe_file_target_read_file('C:\Temp\EE_QueryWarnings*.xel', null, null, null)         ) ed     OUTER APPLY         ed.event_data.nodes('event') (n)     WHERE         n.value('@name', 'varchar(MAX)')    = 'missing_column_statistics'     AND         n.value('@timestamp', 'DATETIME2')   >= DATEADD(MINUTE,-10,GETUTCDATE()); 

Do such network events indicate attack attempts? [closed]

logcheck fished out some suspicious log records for me:

May 11 15:50:50 mailserver dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=1.2.3.4, lip=10.0.0.1, TLS handshaking: SSL_accept() failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number, session=<Gf6Gol+lJgItjVcH> May 12 06:17:10 mailserver dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=5.6.7.8, lip=10.0.0.1, TLS handshaking: SSL_accept() failed: error:1408F09C:SSL routines:ssl3_get_record:http request, session=<NYC/vGulRn+nrNEM> May 13 09:02:52 mailserver dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=9.10.11.12, lip=10.0.0.1, TLS handshaking: SSL_accept() failed: error:1417D0FC:SSL routines:tls_process_client_hello:unknown protocol, session=<6x8rK4KlPNdZ+KwQ> May 13 09:02:53 mailserver dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=13.14.15.16, lip=10.0.0.1, TLS handshaking: SSL_accept() failed: error:1417D18C:SSL routines:tls_process_client_hello:version too low, session=<Prc7K4KlutdZ+KwQ> May 13 09:02:59 mailserver dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=17.18.19.20, lip=10.0.0.1, TLS handshaking: SSL_accept() failed: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher, session=<v0yhK4KlztpZ+KwQ> 

Those records seem suspicious to me, as if they indicated attacks on my internet-exposed network services. Are they? What can you tell me about security risk of particular events here?

What lore events marked the changes between editions?

It was mentioned in this answer that “Only two characters have ever managed to free themselves from Ravenloft, and the only one to actually manage to stay free, Vecna, broke reality so hard in the process that it changed the AD&D 2e rules into D&D 3e rules.” which made me wonder “what other lore events have caused editions to change?”

When during the events of the Curse of Strahd plot does Kasimir want to do this thing?

In Curse of Strahd, during my current playthrough of it (with me as the DM) the NPC Kasimir is the party’s ally (“Strahd’s Enemy”). It says throughout the adventure (whenever Kasimir is mentioned at all) that he:

It says, on p. 90, in the description for Crypt 21:

This implies that Kasimir would do this first before we face Strahd.

On p. 196, it describes a Special Event concerning Kasimir:

The first part implies he may want to do this before we face Strahd, but since both are related to Castle Ravenloft, it is ambiguous, so this part of the quote is perhaps not that helpful. The second part, though, implies again that Kasimir would do this before we face Strahd, since otherwise that part doesn’t make any sense.

However, his entry in Appendix D says the following of relevance under Dreams of the Damned, pp. 232-233:

This implies that Kasimir would do this after we face Strahd.

So my question is:

Can you use a “History” check to remind players of events from previous sessions or their backstory?

My players and I are starting a new campaign soon, with brand new characters set in the same world and after all of our previous campaigns. In the first session, I plan on having them run into some cultists that the players (but not the characters) have encountered in a previous campaign. One of the new characters was a student of one of the old characters, and it is mentioned in their backstory that “he showed me a museum of his previous adventures.” Would a History check be used to determine if this new character identifies the cultists from the museum?

More generally, what’s the time limit on a History check? Can they roll a history check to see if they remember things from the previous session? From their backstory? Or is it explicitly past events they did not experience? If this is the case, then what sort of check would I use for more recent history, like a “memory” check? Straight Wisdom, Investigation, straight Intelligence, Perception?

Is there any information on what Bloodroot Grove was before the events of this AL module?

I was looking over the Adventurer’s League module, DDAL09-08 – In the Garden of Evil (Season 9, Descent into Avernus). This adventure concerns a location in Avernus (the first layer of the Nine Hells) called Bloodroot Grove, and the evil unicorn Zhalruban who has been corrupted by the grove.

What I can’t understand is what such a grove was doing in Avernus in the first place. My impression of Avernus is that it’s a blasted wasteland, not somewhere where you would expect to find a grove.

Apparently, it is in some way related to Silvanus, the god of nature:

Clearly Silvanus didn’t decide to put it in Avernus, so how did it get here? Was it “lifted” from somewhere else (such as the Material Plane or the Feywild*), similar to how the town Elturel was taken into Avernus from the Material Plane (from the main adventure)?

* The grove might have once been in the Feywild, since there’s this quote (even though it only explicitly refers to one tree):

I assume it has been corrupted simply because it has been on Avernus for so long, since Silvanus wouldn’t have created it as a corrupted grove initially, so something must have corrupted it, and being on Avernus fits as the cause of the corruption, but that further suggests my theory that it wasn’t located in Avernus to begin with.

Is there any more information whatsoever about Bloodroot Grove and how it came to be on Avernus?

Extended events filter not working

If I remove the filter, I get results, including ones that should match the filter.

The user is a SQL Login.

This query returns nothing:

CREATE EVENT SESSION [p] ON SERVER ADD EVENT sqlserver.rpc_starting(   ACTION(package0.event_sequence,sqlserver.nt_username,sqlserver.server_principal_name,sqlserver.session_id,sqlserver.username)     WHERE ([package0].[equal_boolean]([sqlserver].[is_system],(0)))     AND (([sqlserver].[server_principal_name]=N'MySQLUserName'))), ADD EVENT sqlserver.sql_batch_starting(     ACTION(package0.event_sequence,sqlserver.nt_username,sqlserver.server_principal_name,sqlserver.session_id,sqlserver.username)     WHERE ([package0].[equal_boolean]([sqlserver].[is_system],(0)))     AND (([sqlserver].[server_principal_name]=N'MySQLUserName'))) ADD TARGET package0.ring_buffer WITH (MAX_MEMORY=8192 KB,EVENT_RETENTION_MODE=ALLOW_SINGLE_EVENT_LOSS,MAX_DISPATCH_LATENCY=5 SECONDS,MAX_EVENT_SIZE=0 KB,MEMORY_PARTITION_MODE=PER_CPU,TRACK_CAUSALITY=ON,STARTUP_STATE=OFF) GO 

This query returns results that should have been in the original results:

CREATE EVENT SESSION [p] ON SERVER ADD EVENT sqlserver.rpc_starting(     ACTION(package0.event_sequence,sqlserver.nt_username,sqlserver.server_principal_name,sqlserver.session_id,sqlserver.username)     WHERE ([package0].[equal_boolean]([sqlserver].[is_system],(0)))), ADD EVENT sqlserver.sql_batch_starting(     ACTION(package0.event_sequence,sqlserver.nt_username,sqlserver.server_principal_name,sqlserver.session_id,sqlserver.username)     WHERE ([package0].[equal_boolean]([sqlserver].[is_system],(0)))) ADD TARGET package0.ring_buffer WITH (MAX_MEMORY=8192 KB,EVENT_RETENTION_MODE=ALLOW_SINGLE_EVENT_LOSS,MAX_DISPATCH_LATENCY=5 SECONDS,MAX_EVENT_SIZE=0 KB,MEMORY_PARTITION_MODE=PER_CPU,TRACK_CAUSALITY=ON,STARTUP_STATE=OFF) GO 

How can I display selected events in the Top Events category screen for Google Analytics?

I am trying to filter several events of my event list. I am trying to do it via a segmentation, but it does’t work. What is the correct way to do this?

Predicting the outcome of sporting events with multiplicative scoring

In the Olympic format for sport climbing, eight athletes compete in three rounds of climbing. Their final score is the multiplication of their rankings in each round. For example, an athlete who comes 1st in the first round, 5th in the second round, and 7th in the third will have a final score of $$1\times5\times7=35$$. The athletes with the lowest final score wins.

Assuming that the competition is already partly underway (possibly even mid-round), is there a computer algorithm to quickly compute the probabilities $$P_{ar}$$ of each athlete $$a$$ achieving a final ranking $$r$$, assuming the performance of the athletes is entirely random from here on? Even with 8 athletes the brute force method seems too computationally intensive.

If this isn’t computationally possible in a reasonable time, is there an algorithm to get “close enough” to those probabilities?

On what date do the events of the Lost Mine of Phandelver adventure happen?

I bought the D&D 5e Starter Set a few weeks ago, and I’m beginning to think about how to drive the scenario as I’ve already read it and I’m at the stage to get familiar with the rules.

Yesterday I created my first character sheet with one of my future players (we’re not going to use pre-generated sheets) and we talked about his character’s lore and background – he will be playing a nobleman, a prince).

I thought that there could be a king in Neverwinter (the closest bigger city to the location of the adventure) , so we could link his background to the scenario. Again, his character would be the son of a king, who, after finishing his Paladin training, wants to go an on an adventure to gain experience and prove his value and that he is adequately trained to potentially govern one day.

However, when I searched for Neverwinter lore, I found out that while there were indeed kings, they didn’t exist towards the end of the timeline.

Given that, I tried to find out at which date the events of LMOP take place, but I didn’t manage to find it anywhere in the books.

So, based on already existing modules or deductions based on facts in existing modules, when do the events of LMOP take place?

If the date is deducted instead of directly stated somewhere, you have to support your answer with official sources, not just a more or less educated guess. The better the answer is supported by sources, the better.