Within the User Interface of Symantec Endpoint Detection and Response (SEDR) the system health state is "Needs Attention". When the mouse hovers over the system health state, SEDR displays the Alert: "Device is encountering a large number of events. Some events will not be logged in the database."
"Device is encountering a large number of events. Some events will not be logged in the database."
In Symantec Endpoint Protection Manager (SEPM), one or more client groups have an External Communication policy that points to the IP address of ATP UI as a Private Insight server.
This behavior may have multiple causes, including overly broad configuration of the Endpoint Data Recorder, and a large number of Insight lookups from widespread software updates amongst the SEP clients.
The SEDR 4.5 software includes improvements to increase the number of events that can be processed. If you see an error that incoming events have been dropped, please update to SEDR 4.5 to take advantage of these changes.
Further troubleshooting can be performed in the following ways:
To reduce the number of events from the Data Recorder feature
To add a Data Recorder exclusion