Confirm you have this issue:
Check the count of the SCORInventory data type in the SCOR_DATA_CHANNEL table using the following SQL queries:
Query 1
Select DATA_TYPE, count(*) as COUNT from SCOR_DATA_CHANNEL group by DATA_TYPE;
| |
DATA_TYPE |
COUNT |
| 1 |
SCORCommand Response |
1 |
| 2 |
SCORDiag |
98 |
| 3 |
SCORInventory |
758015 |
NOTE: A high
COUNT for the
SCORInventory data type suggests that the issue is because of inventory-diff or a Pull Inventory Client Task was scheduled for a large number of hosts simultaneously.
Query 2
Select DATA_TYPE, count(distinct TRANSACTION_ID) as TX_COUNT from SCOR_DATA_CHANNEL group by DATA_TYPE;
| |
DATA_TYPE |
TX_COUNT |
| 1 |
SCORInventory |
758015 |
| 2 |
SCORCommandResponse |
1 |
| 3 |
SCORDiag |
98 |
NOTE: A very high
TX_COUNT for the
SCORInventory data type confirms that the issue is because of inventory-diff. Otherwise, if the count for SCORInventory from Query1 is high, but the count from Query2 is low, the issue may be caused by a Pull Inventory Client Task that was scheduled for a large number of hosts simultaneously.
Workaround:
Switch
off inventory-diff and run the SC: Pull Inventory Client Task on a limited number of hosts per day.
IMPORTANT: See
KB81702 to understand the implications of disabling the inventory-diff feature.
To switch
off Solidcore inventory-diff:
- Log on to the ePO console.
- Click Menu, Policy, Client Task Catalog.
- Click Actions, New Task.
- Select SC: Run Commands from the Task Types drop-down list and click OK.
- Type a Task Name (for example, Disable Solidcore Inventory-Diff) and provide a Description (optional).
- For MACC version 6.1 and earlier, type the following: "config set InvDiffConfig=1" . For MACC version 6.2 and later, type the following: "config set InvDiffConfig2=1"
- Click Save.
- Click Assign for the new task.
- Select My Organization as the group to which to assign the client task.
- Push the client task to Solidcore Agents by performing an agent wake-up call.
As a best practice, McAfee recommends that you schedule the Pull Inventory Client Task for 300 or fewer hosts per day. Check whether all SCORInventory data is processed from the SCOR_DATA_CHANNEL table and gradually increase the number of hosts until it reaches the maximum. The maximum value is reached when the SCORInventory data type takes more than 24 hours to process.
Alternatively, enable debug logging on ePO and collect MERs. The debug information indicates how long the thread took to process inventory from a single host.
Example
Log at the start of Processing:
2013-10-29 00:55:43,835 DEBUG [mfs:pool-2-thread-13] inventory.InventoryPullInternalTask - Working on inventory for Agentguid:652F9790-18C9-418D-AD6C-6C786DE4FED3| Txn Id:{15DC4018-D3E6-4903-8BC0-A01D34418088}
Log at the end Processing:
2013-10-29 00:56:40,961 DEBUG [mfs:pool-2-thread-13] inventory.InventoryPullInternalTask - Inv Pull done for AgentGuid: 652F9790-18C9-418D-AD6C-6C786DE4FED3
