4 Replies Latest reply on Jul 13, 2009 12:53 PM by jrvane1

    Event reporting

    jrvane1
      Is there a policy setting that controls how often the ePO processes VirusScan events? :confused:

      Situation: I am running ePO 4.0 Patch-4. I have serveral User-defined programs in the VS 8.5 PUP policy which have been triggered, in both real-world and testing scenarios. But the events don't show up in my ePO for several days. Even when I click Send Events from the host Status Monitor and can see the event being uploaded, the ePO doesn't display/report it for a few days. I would like to be able to see these events at least the same day they occur. ;)

      Any help would be greatly appreciated. :)

      Regards,

      JV
        • 1. RE: Event reporting
          jrvane1
          Anybody, anybody...Bueller, Bueller? grin
          • 2. RE: Event reporting
            tonyb99
            do you mean in data in reports or as notifications?

            If its the notifications I would say you need to tweak the thresholds for minimums or if there should lots then allow more per hour/day whatever.

            If its reports are you sure you are pulling in the data? I use the cmdagent.exe -p -e -c run after successfull dat updates to help get my data back to the server asap plus rolling wakeups.

            Have you checked the parser log you may be getting events knocked back due to duplicate GUIDs, agent overinstalls of the agent 4, DAL errors or timeouts due to SQl failures etc etc etc
            • 3. RE: Event reporting
              jrvane1
              I have a Notification rule setup to fire on each occurance of a User-defined PUP detection, and it works. But the "Event Generated" date and "Event Received" date are always days apart. Can't figure out why the disparity. :(

              The MA policy is set to wakeup and receive updates every hour, as well as, enforce policy every 5 minutes. So the events should be uploaded every hour.

              While testing, I personally triggered the alert on my machine serveral times. Each time I clicked on "Send Events" in the McAfee Agent->Status Monitor, I could see the number of events, which corresponded to the number of triggered alerts, get uploaded to the ePO. It just takes a few days for the ePO to send a notification and/or show up in reports. :confused:

              I'll see if I can locate the parser log you spoke of. Much appreciated.

              Regards,

              JV
              • 4. RE: Event reporting
                jrvane1
                The Parser log didn't yeild any information that I could realily identify.

                I did, however, figure out that anything left in quarantine will be reported as an event, at least daily, until deleted from quarantine. That's good to know. ;)

                Any other thoughts on the "delayed reporting" quandary? :confused:

                Regards,

                JV