After a successful upgrade from EPO 5.1.1 to 5.3.1, we noticed a hick up where just a few hours after the upgrade the McAfee ePolicy Orchestartor 5.3.1 Application Server had stopped. Restarted the service and logged in fine. For a brief moment settings, policies, system tree and dashboards were missing but eventually everything loaded fine within less than minute. I looked at the audit log and found over 5000 logged system/blank entries(see pic bellow) with no detail information other than "Notify Agent(s)" and weather it was successful or not.
I contacted McAfee platinum support and showed them the findings. After looking at the Orion log, the database( hosted on SQL cluster) they could not find a culprit.
Tried disabling all Server Tasks and ran this way for at least few hours and saw no drop in logs.
Products are as follows:
Agent: 5.0.1 and some 5.0.2
VSE 8.8 Patch 6
Deep command 2,2 (testing, not deployed)
DLP (small POC)
TIE/DXL (small POC)
Our build is running on VMs, 2012 servers. Main EPO has 8 CPUs, 32 GB RAM and plenty of storage. Database is hosted on SQL cluster
We have 3 additional AgentHandlers with direct access to DB
We also have 1 TIE write only Master, 2 Reporters, and 3 DXL Brokers(1 in DMZ)
Can anyone shed any light as to what might be causing this?
Any update/findings/resolution to this issue? Apparently I have the exact same even though I'm on ePO 5.3.0 (fresh install). It seem to have started with the installation of TIE/DXL and/or MOVE extensions. We've got almost 2 million of these "Failed to notify agent(s)" entries in the audit log. I'd really want this to stop ASAP. Any help would be welcome.
The following KB may be relevant:
Specifically the reference number 1068538. Though it states that this would be resolved in DXL 2.0.0 but it's clearly not...
Just went into the audit log myself and see the same issue (trying to figure out a high cpu issue currently)
Does anyone have a solution to this yet - latest TIE that was released 3 weeks ago, but still the same issue.
In 24 hours (yesterday was a weekend), the audit log is 370,000 entries.
We just installed the latest available TIE/DXL on our ePO 5.3.1 server and are also getting hammered by these entries in the audit log. Has anyone found a solution to this yet?
Do you have any news about this "Notify Agent(s)" issue?
We have a case with McAfee Support but.... but.... no comments.
We've been getting the same ever since upgrading from 5.1 to 5.3.1. We've also noticed that this has stopped any TIE data getting to epo. The TIE dashboards have no data since the 5.3.1 upgrade and I no longer get e-mail notifications about malware infections detected by TIE. I do still get notifications from malware detected by Virusscan.
Not really much help, I know but thought I'd add the additional part about TIE. Support ticket now logged so will update if I make any progress.