Also, to add on, if I do the delete command again this morning:
1> delete from EPOEVENTS where DetectedUTC < '2010-9-30'
It still takes a while and tranaction log jumps up in size.
Since that is the date I used yesterday, shouldnt there be 0 records to delete prior to that date? Are they not deleting properly?
Are you using McAfee database maintenance best practices - like using a simple db rather than full db. Also you need to schedule regular maintenance for db backup, indexing etc.
I really dont know the answers to thos questions. I have been in this new job for a week, the last guy is long gone and no one else here knows how this was set up.
I have never used EPO before and have very little experience with SQL dbs.
Is there a website that lists mcafee DB maintanance best practices? How do I determine if I am using a simple DB vs full?
How to I schedule regular maintanance?
The event filter is a bit like a policy - so when you uncheck the events in the event filter, the client machines need to communicate with the server and pick up the new event filter list before they stop sending back those events. By the sound of it your client machines had some events queued, which is what is causing them to still be reported, and why the query you ran to remove the events is still finding them.
As the machines pick up the event filter, they will gradually stop sending up these events: in the meantime I would delete all events with those IDs via an SQL query, rather than basing it on the detected time. Keep doing that and everything should soon be under control.