I am testing McAfee Application Control (version 6.1.1) and I moved over 100 systems into my Observe group on my ePO server (version 4.6.6). When I did my initial test, I was receiving normal Observe data within ePO without any troubles..after adding the extra systems, I started to see this message when reviewing later observations "Warning: Observation generation has been stopped due to a large inflow detected at ePO in the last 24 hours. Press the link on the side to restart after creating policy rules from the existing Observations. Enable Observation Generation" I fknow that I can change the observation threshold count from the default of 100k events. My question is are there any potential gotchas to upping the threshold limit, say maybe up to 300k? My organization wants to run all of the future systems in Observe Mode (over 5000 systems) for an unlimited period of time...I am dead set against this mind you. I know version 6.1.2 is supposed to limit the number of events generated when in Observe Mode, but with even upgrading the clients will that be enough to stop the Warning message from generating? Any help will appreciated
My organization wants to run all of the future systems in Observe Mode (over 5000 systems) for an unlimited period of time...I am dead set against this mind you.
Your instinct here is correct. Trying to run that many in Observe mode will create a MASSIVE database (lots of Terabytes). Observe mode was create for the sole purpose of helping customers to discover what updaters to use. We never intended it to be run for any period of time on 5K machines. Can you technically run that many? Yes. Observe mode isn't a protective mode. You MUST get endpoints out of that and into full protection mode. If your copmany still thinks they should pursue this path then please contact your local Sales Engineer and ask for assistance on why this is an insane path.
Thank you for the quick response. I will make a note of this and pass it along to my management.