Why does it take a long time for the DLP monitor to log a event. Example I plug a USB flash drive with is blocked the Montitor does not log this event until it want to there is no time limit set, just when it feels like it. Using DLP 9.1.6, with EPO 4.5.6, Agent 4.6
When the rule is triggered and the USB is blocked the event is queued on the system ready for when the ePO Agent next communicates with the ePO server. The communication takes place at intervals so you'll see the event in the monitor after the next scheduled interval. You can adjust this interval in the agent properties on the ePo server.
Global Support Engineering Operations
How long after the wakeup call do you have to wait to see it?
If you are watching the monitor screen you can refresh it manually, you can also set the refresh interval in the monitor by choosing Tools, Options and see what value the 'Automatic Refresh Interval (sec)' field is set to.
Beyond that you may have a very slow event parser for which you'll need to log a case with us to help with.
Don't change the McAfee Agent ASCI to 5 mins. You will end up with lots of unnecessary network traffic.
I do not see any reason as to why you need to see USB plug events immediately. Increase the severity for rules that you need to see immediately and the McAfee Agent Event Forwarding will ensure that you get the events immediately.