System health cards for McAfee DLP Monitor

The McAfee DLP Monitor system health cards display information about appliance type, system health, and analysis statistics.

System health cards display McAfee DLP Monitor appliances as Monitor Server. Each functioning appliance is shown as Active. An appliance can be one of the following types, depending on whether it is configured as a standalone appliance or as a member of a cluster:

  • Monitor Server Standalone
  • Monitor Cluster Packet Acquisition Device
  • Monitor Cluster Master
  • Monitor Cluster Scanner

Status is displayed in green, amber, or red depending on whether warning and critical threshold values are exceeded, or there is an error. More information is provided in the Alerts and Details panes.

McAfee DLP Monitor statistics

In addition to standard system health information about each appliance, the McAfee DLP Monitor card provides the following information:

  • Evidence Queue — Shows the number of evidence files waiting to be copied to evidence storage.

    If the total combined size of the items in the queue exceeds a threshold, an alert is issued. If the evidence server is unavailable because, for example, it can't be contacted, the evidence is queued until the server becomes available again.

    The queue has between 20–200 GB storage available, depending on the platform. If it becomes full, no further incidents are created.

    This statistic does not apply to a packet acquisition device.

  • Network — Displays the information about received and transmitted data. For capture1, the following details are displayed:
    • Packets per second — The number of packets processed by McAfee DLP Monitor standalone appliance or a cluster packet acquisition device every second.
    • Packet drops — The number of packets dropped at the network interface.
  • Monitor — Monitors the following information (these statistics apply to a standalone appliance and a cluster packet acquisition device):
    • Active flows — The current number of conversations on your network tracked by the McAfee DLP Monitor appliance.
    • Flows filtered — The current number of conversations that are not scanned according to filter rules.
    • Payloads scanned — Displays the number of payloads analyzed by McAfee DLP Monitor for each protocol.
    • Payload scan failure — Displays the number of payloads that can't be analyzed if, for example, an email message is corrupt or the time to analyze the payload exceeds the timeout limit.
    • Payloads oversize — Displays the number of payloads that exceed the configured limit.

      McAfee DLP Monitor cannot analyze partially extracted .zip files.

Counters are updated on the appliance every 60 seconds. Apart from the evidence queue counter, the counters are not cumulative.

See the information about McAfee DLP error messages to find out what happens if a message or web request is blocked.

McAfee DLP Monitor alerts

  • The evidence queue exceeded the default threshold.
  • The payload could not be analyzed.
  • McAfee DLP Monitor could not enforce a policy.