I have looked through the discussions and don't see anything on troubleshooting to help you get the DLP monitor working for non administrative events. I have checked the following;
1. Evidence folders has domain admin fulll and domain computer permissions as per document
2. WCF service installed using sa account and under domain admins
Currently running DLP 3.0 with McAfee Agent 4.5
This has got to something simple, but there is very little on troubleshooting steps to help you fix the issue yourself. I canot see agent install events as well as client monitor events.
Any assistance would be helpful.
Take a look at KB54645 which has some troubleshooting information. Consider searching Host DLP Monitor events by event ID [see page 92 of the McAfee Host Data Loss Prevention 3.0 for ePolicy Orchestrator 4.5 Product Guide] for the steps to search for the event you are looking for. Define a new filter for this type of "non-administrative" event, select the filter conditions and properties and save the filter name of choice.
Check the DLP 3.0 readme file - you will get your answer. It's been a known issue with this version and might get resolved with patch 1.
Workaround: Change the executing user of the event parser service to the specific domain user specified at ePO installation.
Also have a look at these:
I got a call from McAfee Tier II yesterday and they suggested the same and it worked. Shame there wasn't a KB on this as it would have saved me a lot of hassle. Appreciate your response. I can have a happy xmas now :-) All the best.
where do I actually find readme file for DLP 3.0.?
previously, my DLP monitor does not shows any event at all and suddenly the event appear but unfortunately It takes sometimes to show up in the DLP MOnitor (approx. 30min)..
Any idea, what's goin on with the DLP Monitor?