4 Replies Latest reply on May 13, 2011 8:07 AM by pierce

    Unable to get DLP working - no events being logged.

      I've got a existing EPO 4.5 server and installed the DLP 9.1 extension and then checked in the DLP agent. I have also setup another server to run the WCF service.

       

      I then setup a simple policy to monitor removable storage devices and under DLP monitor I saw a devices: device plug being logged when I connected a external USB stick.

       

      I then upgraded to 9.1 Patch 1 and since then I can see "administrative: policy appliied" messages being logged on the monitor and nothing else. I found a article on the KB which i followed (

      New Host Data Loss Prevention 9.x events are not displayed in the Host DLP Monitor - KB71211) but after deleting the DATALOSS2000 folder I noticed it didnt get recreated (its been 3 days)

       

      I only have one machine which I'm busy testing DLP on but when collecting and sending properties something should be logged.

       

      Any ideas where I can start checking?

       

      On the WCF server i've run the test and it passes. It looks like none of the event from the client are being logged anywhere? What am I missing - I am just running a simple test where I want to monitor external USB devices.

        • 1. Re: Unable to get DLP working - no events being logged.
          pierce

          Did you upgrade the WCF server to 9.1 Patch 1 as well? its not that clear in the guide (i skimmed over it myself....).

           

          Other than that double check you have the updated WCF server, the updated extension and help file checked in and also the new agent into repo and deployed to your testing machine.

           

          then follow the guide 100% to make sure you pick all the right options for agent settings etc...

          • 2. Re: Unable to get DLP working - no events being logged.

            Change the Mcafee WCF Service and Mcafee Event Parser to "Log on" with an account that has sufficient priviliges on the database. 

            • 3. Re: Unable to get DLP working - no events being logged.

              Thanks - installing Patch 1 on WCF seemed to have fixed the problem. I can see the client events being reported now.

               

              Another problem i've come across - the client events are only sent through to the server every couple of hours. If I click on send events in the McAfee Agent then the events go through straight away, otherwise I have to wait for a few hours for them to be sent (Even though the interval is set to 10 mins)

               

              Anyone experienced this problem? We are running McAfee Agent 4.5 Patch 2 

               

              Message was edited by: gmccarthy on 5/13/11 4:36:13 AM CDT
              • 4. Re: Unable to get DLP working - no events being logged.
                pierce

                My updates from DLP agents are pretty quick. the recommended update setting i think its once an hour.

                 

                But I do have my agents set to forward important events straight away, maybe check you have this setting enabled for your agent policy. that way you could put your general checkin's back to one hour to reduce load on your servers/network and still get the important stuff through.