We are using ePO 5.9.1. Over the past week, I have noticed that the SQL database for ePO has been growing about 1GB per day. This is very unusal for us as it usually stays about 5GB. The only thing that we have done is to deploy ePO Agent 220.127.116.118 to all our 2,000 endpoints. Is it possible that this agent is causing events to be sent back to ePO thus filling up to database.
I have tried some queries of the database that look for top event ids, but done see anything too large. Not too sure what is going on. Any suggestions?
Also, we arenoty using DXL/TIE and I know that this new agent deploys a DXL component to the endpoints
Solved! Go to Solution.
ePOProductEventsMT contains client events ... the table EPOEvents contains Threat Events. Revisit the sql command - instead of searching for threats reverse engineer for clients events ... or Best practice: Create client event summary queries : display events sent from your agents to McAfee ePO, create client event summary queries - https://docs.mcafee.com/bundle/epolicy-orchestrator-5.9.0-product-guide/page/GUID-F14501EF-EF6D-483A...
Due to the large number you may want to start small and build up - suggest running query for only 15 minutes
You may already have set this up - still worth asking - are you following: Maintaining the McAfee ePO SQL database best practice
Perform these tasks regularly to maintain your SQL Server:
Yes, I do purge the database weekly. The database is backed up with a disaster recovery snapshot on a daily basis at about 3am.
The database is reindexed once a day and rebuilt once a week. The only thing that has changed is deploying ePO agent 18.104.22.1688 to all our endpoints.
What version were you on before 22.214.171.1248?
I've used this in the past and found it to be very useful - How to identify why the ePolicy Orchestrator database is very large : https://kc.mcafee.com/corporate/index?page=content&id=KB76720
Foudn this post - worth reviewing:
The tablenames changed from EPO 5 to 5.X and may have changed in EPO 10.
New feature but ....
Code consolidation and merging of management client components — McAfee Agent 5.5.2 or later replaces the Product Improvement Program (PIP) with a new, more efficient, and more secure producttelemetry framework ... https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/28000/PD28068/en_US/...
Running the sql command found in KB76720 may help in understaing what's causing the up tick
Is there a way of stopping this as can't deal with database growth of 1GB per day. I will take a look at the other document, But you can see that we don't have a lot under top events, so not too sure what we need to purge.
Just created a server task that will purge from the last 90 days. I will see if that helps. Is the new way that they are coding creating extra events in the database. If this keeps growing then I may have to make a service call next week.
Thanks for all your suggestions.