2 Replies Latest reply on Dec 14, 2013 9:26 AM by ebtrey

    Cavets to increasing the default threshold of 100k event in McAfee App Control 6.1.1




      I am testing McAfee Application Control (version 6.1.1) and I moved over 100 systems into my Observe group on my ePO server (version 4.6.6). When I did my initial test, I was receiving normal Observe data within ePO without any troubles..after adding the extra systems, I started to see this message when reviewing later observations "Warning: Observation generation has been stopped due to a large inflow detected at ePO in the last 24 hours. Press the link on the side to restart after creating policy rules from the existing Observations.  Enable Observation Generation"  I fknow that I can change the observation threshold count  from the default of 100k events. My question is are there any potential gotchas to upping the threshold limit, say maybe up to 300k?  My organization wants to run all of the future systems in Observe Mode (over 5000 systems) for an unlimited period of time...I am dead set against this mind you. I know version 6.1.2 is supposed to limit the number of events generated when in Observe Mode, but with even upgrading the clients will that be enough to stop the Warning message from generating?  Any help will  appreciated