5 Replies Latest reply on Jan 11, 2011 5:26 AM by JoeBidgood

    Where is Event severity determined for a point product?

      In EPO, report extensions (and the default settings) determine the severity of alerts listed (eg High, Informational etc).

       

      However, when a point product creates an alert, does it decide when the alert is created that it High etc?

      Or does the EPO Agent determine the severity of the alert based on the severity listed in EPO?

       

      Or is there some other methodology used?

        • 1. Re: Where is Event severity determined for a point product?
          JoeBidgood

          Generally speaking this is decided by the point product teams - they then code this into the extension, which in turn places the information into the ePO database.

           

          HTH -

           

          Joe

          1 of 1 people found this helpful
          • 2. Re: Where is Event severity determined for a point product?

            Thanks Joe - does lead to a follow-up question from me though.

             

            If I'm not seeing the EPO agent upload an event to the EPO server immediately that is marked as "High" , yet the settings in EPO for the agent are for these events to automatically upload, where would the fault lie?

             

            (EventSeverity in the .evt file is marked as 0 btw).

             

            Is it a point product issue, an EPO agent issue?

             

            Trying to get my head around how a client "knows" an event is critical/high etc and needs to upload it straight away.

            • 3. Re: Where is Event severity determined for a point product?
              JoeBidgood

              The event severity is effectively hard-coded into the point product - the exact mechanism differs but the end result should be the same (i.e. the point product generates an event with the correct priority attached to it.)

               

              If the agent is supposed to be forwarding these immediately, but isn't, maybe you are running into the agent throttling functions? What are the settings for "interval between uploads" and "max number of events per upload" in the agent policy?

               

              HTH -

               

              Joe

               

              PS: please check your PM

              1 of 1 people found this helpful
              • 4. Re: Where is Event severity determined for a point product?

                JoeBidgood wrote:

                 

                The event severity is effectively hard-coded into the point product - the exact mechanism differs but the end result should be the same (i.e. the point product generates an event with the correct priority attached to it.)

                 

                If the agent is supposed to be forwarding these immediately, but isn't, maybe you are running into the agent throttling functions? What are the settings for "interval between uploads" and "max number of events per upload" in the agent policy?

                 

                 

                Thanks again Joe . Actually, the information you gave is very helpful with my issue. Am trying to work out if something is "my issue" or a problem that the "point product" is causing.

                 

                PMs are rather broken, they need a Mod here to approve them, so it may not appear for 24+ hours depending on who sees it . <waves to a friendly mod>

                 

                I don't think it's the agent throttling causing the issue as I can recreate the issue with the point product and they are the only evt files in the events directory, but your comment re the point product defining the sev does indicate something to me.

                • 5. Re: Where is Event severity determined for a point product?
                  JoeBidgood

                  Glad to hopefully shed some light

                   

                  Re: PMs - you're right, I haven't seen an approval note yet. Can you drop me a mail at joe_bidgood@mcafee.com?

                   

                  Thanks -

                   

                  Joe