When the rule is triggered and the USB is blocked the event is queued on the system ready for when the ePO Agent next communicates with the ePO server. The communication takes place at intervals so you'll see the event in the monitor after the next scheduled interval. You can adjust this interval in the agent properties on the ePo server.
Global Support Engineering Operations
I did a agent wakeup on my workstation after I plugged in usb flash. did not show up in log
How long after the wakeup call do you have to wait to see it?
If you are watching the monitor screen you can refresh it manually, you can also set the refresh interval in the monitor by choosing Tools, Options and see what value the 'Automatic Refresh Interval (sec)' field is set to.
Beyond that you may have a very slow event parser for which you'll need to log a case with us to help with.
seems to be working I changed the agent to communicate with EPO server to 5 mins. just wondering if that causes a lot of network traffic.
Don't change the McAfee Agent ASCI to 5 mins. You will end up with lots of unnecessary network traffic.
I do not see any reason as to why you need to see USB plug events immediately. Increase the severity for rules that you need to see immediately and the McAfee Agent Event Forwarding will ensure that you get the events immediately.