4 Replies Latest reply on Mar 19, 2008 5:05 AM by scorchspam

    Agents Events problem

    anded
      Anyone come across this problem before? One of our file and printer servers, is very quickly filling up with the following xml files. Their are currently over a million of them and we are running out of space. The directory is c:\document and settings\all users\application data\mcafee\common framework\agent events

      <?xml version="1.0" encoding="UTF-8" ?>
      - <SnowCapSensorEvents>
      - <MachineInfo>
      <MachineName>File and Print Server</MachineName>
      <AgentGUID>{FDB65465-3570-4C2A-A02C-989E6F7DED80}</AgentGUID>
      <IPAddress>XXX.XXX.XXX.XXX</IPAddress>
      <RawMACAddress>XXXXXXXXXXXX</RawMACAddress>
      <OSName>Windows XP</OSName>
      <UserName>SYSTEM</UserName>
      <TimeZoneBias>0</TimeZoneBias>
      <MACAddress>XX:XX:XX:XX:XX:XX</MACAddress>
      <SubnetAddress>XXX.XXX.XXX.XXX</SubnetAddress>
      <SubnetMask>XXX.XXX.XXX.XXX</SubnetMask>
      </MachineInfo>
      - <McAfeeSnowCapSensor ProductName="McAfee SnowCap Sensor" ProductVersion="1.0.0" ProductFamily="SECURE">
      - <SnowCapSensorEvent>
      <EventID>12000</EventID>
      <Severity>2</Severity>
      <GMTTime>2006-12-31T11:03:53</GMTTime>
      <ProductID />
      <InitiatorID />
      <InitiatorType>0</InitiatorType>
      <Locale>0409</Locale>
      </SnowCapSensorEvent>
      </McAfeeSnowCapSensor>
      </SnowCapSensorEvents>
        • 1. RE: Agents Events problem
          I haven't come accross this particular issue. However I do know that Snowcap is another name for the Rogue System Sensor.

          Is the rogue system sensor installed on this File and Print Server? If so has it only recently been installed? And if if so, how many clients on your network?

          You could try removing the sensor through ePO and adding it again.
          • 2. RE: Agents Events problem
            Arjen
            The directory you mention is the directory that is used by the agent to store any event until it is uploaded to the ePO server.

            Maybe you should increase the ASCI time or allow events to be uploaded immediately.
            If you do not use the rogue system sensor, you should remove it from the server, as it will cause overhead...
            • 3. RE: Agents Events problem
              hey,

              as Arjen says, this should only be a temporary holding area for the events, before they are sent up to the epo server - i suspect this is masking a greater problem in that the agent isnt communicating with the epo server, and so cannot send the events up.

              locate the agent_computername.log in the all usersprofile\network associates\common framework\db dir , search for the word " trial "( im assuming the log is in english !!)

              it will look something like :

              connecting to epo server trial 1/6 ,

              is it successful, or do you see a 2/6 , 3/6 , 4/6 etc ?

              incidentally, the events that you are seeing are fairly useless everytime an RSD sensor starts its "shift" it sends a sensor started message , and sends a sensor stopped message when it finishes its "shift" - these can be prevented from being created using the event filter list, which you see when you log into the reporting section using epo authentication - simply uncheck the events you are not interrested in.

              HTH,
              • 4. RE: Agents Events problem
                I'm currently investigating the same problem. Going to post it as a separate thread.