This content has been marked as final. Show 4 replies
Anybody, anybody...Bueller, Bueller? grin
do you mean in data in reports or as notifications?
If its the notifications I would say you need to tweak the thresholds for minimums or if there should lots then allow more per hour/day whatever.
If its reports are you sure you are pulling in the data? I use the cmdagent.exe -p -e -c run after successfull dat updates to help get my data back to the server asap plus rolling wakeups.
Have you checked the parser log you may be getting events knocked back due to duplicate GUIDs, agent overinstalls of the agent 4, DAL errors or timeouts due to SQl failures etc etc etc
I have a Notification rule setup to fire on each occurance of a User-defined PUP detection, and it works. But the "Event Generated" date and "Event Received" date are always days apart. Can't figure out why the disparity. :(
The MA policy is set to wakeup and receive updates every hour, as well as, enforce policy every 5 minutes. So the events should be uploaded every hour.
While testing, I personally triggered the alert on my machine serveral times. Each time I clicked on "Send Events" in the McAfee Agent->Status Monitor, I could see the number of events, which corresponded to the number of triggered alerts, get uploaded to the ePO. It just takes a few days for the ePO to send a notification and/or show up in reports. :confused:
I'll see if I can locate the parser log you spoke of. Much appreciated.
The Parser log didn't yeild any information that I could realily identify.
I did, however, figure out that anything left in quarantine will be reported as an event, at least daily, until deleted from quarantine. That's good to know. ;)
Any other thoughts on the "delayed reporting" quandary? :confused: