1 2 3 Previous Next 20 Replies Latest reply on Apr 15, 2011 7:14 AM by gifkoek

    DLP Monitor does not show Client-Events

    online83

      Hi everybody,

      hope that someone can help me with DLP 9.1

       

      I have the following constellation:

      - ePO Server is 4.5 Patch 3 on Windows Server 2008 SP2 (32 Bit) and McAfee Agent 4.5 Patch 1

      - SQL DB is on a different Server (MS SQL 2008)

      - SQL Connection is using Windows-Authentication

      - We use a user called "DOMAIN\virusscan" which is DB-Owner to connect to the SQL DB

      - I created a policy to denie all removable USB devices and: block, monitor and inform the user

       

      When I change the DLP Policies, I can see in the DLP Monitor that "the policy was applied".

       

      When I connect a usb device on the pc, the device is blockt and also the user is informed about it.

      Now I open the McAfee Agent Status Monitor and collect and send the events. I see in the Agentlog of the Client that the system sends events to the ePO server.

      But I do not see this DLP Client-Events in the DLP Monitor.

       

      Also I have verified the WCF Service Test-Page. Everything is quite good.


      Hopefully someone can help me with this issue.

       

      I also tracked a SR @ McAfee Gold Support on 11.01. but until now I got no solution for it... :-(

       

       

      regards,

      online

        • 1. Re: DLP Monitor does not show Client-Events

          Have you check that the Evidence Share is set correctly for the Agents and then check the permissions on the server again and make sure you have given the computers write access to this.

           

          Have McAfee been sent the MER data for DLP yet?

           

          Regards,

           

          Ian

          • 2. Re: DLP Monitor does not show Client-Events
            online83

            Hi Ian,

            yes, I already sent the MER data to McAfee.

             

            But perhaps there is a misunderstanding. I do not have configured "to save the copied files in the evidence".

            I only what to see the Client-Events which device was blockt (Product/Vendor ID of the removable drive). But this does not work. :-(

             

            regards,

            online

             

             

            Nachricht geändert durch online83 on 24.01.11 18:09:58 MEZ
            • 3. Re: DLP Monitor does not show Client-Events

              OK, I have seen a similar issue to this and it was down to the WCF service account not having the correct SQL permissions and although the testing page worked it was still missing some permissions.

               

              Have you check thed database to see if any events are stored in there?

               

              SELECT

               

               

              TOP 100 *

               

               

              FROM [ePO4_SERVERNAME].[dbo].[DLP_EventInfoView] Where EventTypeDisplayName = 'Devices: Device Plug'

               

              Regards,

               

              Ian

              • 4. Re: DLP Monitor does not show Client-Events
                online83

                The User-Account which we use within the WCF Service is DB-Owner of the Database.

                I think a DB-Owner should have enough rights, or not?

                 

                Is there any possibility to get debug-logfiles of the WCF Service?

                 

                 

                At the moment I am not in the office. Sorry, I have to run the SQL query later.

                 

                regards,

                online

                 

                 

                Nachricht geändert durch online83 on 25.01.11 17:00:26 MEZ
                • 5. Re: DLP Monitor does not show Client-Events
                  online83

                  Hi Ian,

                  I did the select query, but I do not get any event.

                  But "administrative events" (change of the dlp policy) are located in this sql table.

                   

                  regards,

                  online

                  • 6. Re: DLP Monitor does not show Client-Events

                    Ok this shows that the events are not getting to the database then.

                     

                    Is DLP installed on many machines? or are you just testing this at the moment?

                     

                    Regards,

                     

                    Ian

                    • 7. Re: DLP Monitor does not show Client-Events
                      online83

                      yes, but why are the "administrative events" in it and the "client events" not.

                      I see that the mcafee agent sends events to the ePO server, after a device was blocked, but nothing is in the DB... strange

                       

                      I also did the following:

                      Installed a Windows2008R2 64Bit Server

                      executed DCPROMO

                      Installed a SQL Windows 2008R2 Express DB

                      Installed ePO 4.5

                      Installed DLP 9.1

                      exported the DLP Policy from the "not working" ePO and import it to the testing ePO.

                      pushed the agent to a client system, rebooted and insert an usb drive

                      send events => I can see the "client events".

                       

                      But that is not what we want :-) We would like to use our central SQL Server...

                       

                      At the moment we only use two pc's with DLP installed.

                      We would like to use it as soon as possible, but before the issue must be fixed

                       

                      What can we do now?

                      Is there no possibility to enable debug loggin on the WCF?

                       

                      regards,

                      online

                      • 8. Re: DLP Monitor does not show Client-Events

                        Not sure about debugging levels for DLP its certainly something that McAfee should be helping you with.

                         

                        One thing you can do though is in ePO select Menu -> Reporting -> Threat Event Log, Filter this to a machine with DLP and see if you get any events in there.

                         

                        Regards,

                         

                        Ian

                        • 9. Re: DLP Monitor does not show Client-Events
                          online83

                          it's annoying....

                          I can see other events of a system with dlp installed.

                           

                          regards,

                          online

                          1 2 3 Previous Next