cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
JDCast11
Level 9
Report Inappropriate Content
Message 1 of 23
‎02-24-2020 11:22 AM

Unable to receive network traffic logs on ePO server

Jump to solution

I am trying to have a central place where I can see all traffic being passed through the ENS Firewall. All the required policies are configured to forward events to ePO as well as having selected all Firewall events are logged. I also have on the rule itself to log on each occurrence and to log all allowed and blocked traffic. Essentially, I want to avoid having to navigate to every one of my servers to pull up the FirewallEventMonitor.log to see what is being blocked. I also have tried creating a query to try and pull the events but that was unsuccessful. It did pull some events but all of them were old. Any help is appreciated.

I am running ePO 5.10 update 6 with the latest ENS and Firewall updates.

0 Kudos
Reply
1 Solution

Accepted Solutions
JDCast11
Level 9
Report Inappropriate Content
Message 22 of 23
‎02-28-2020 08:52 AM

Re: Unable to receive network traffic logs on ePO server

Jump to solution

Good news! So I was able to finally receives the events to the ePO console. The issue was that the eventparser service currently has a bug on 5.10 update 6. Basically, it just stops parsing events. I have submitted an RTS to receive the fix to this. Thanks everyone for their assistance on this. Following the steps @Former Member outlined should have events showing up if you don't have update 6 installed. I

View solution in original post

Reply
22 Replies
ZGreen
Level 10
Report Inappropriate Content
Message 2 of 23
‎02-24-2020 11:41 AM

Re: Unable to receive network traffic logs on ePO server

Jump to solution

When did they stop logging. Is it only the firewall events or have the OAS and HIPs events stopped reporting as well? 

0 Kudos
Reply
JDCast11
Level 9
Report Inappropriate Content
Message 3 of 23
‎02-24-2020 11:47 AM

Re: Unable to receive network traffic logs on ePO server

Jump to solution

Hello ZGreen. It seems that all other threat events seem to be reporting correctly. I am just unable to get the actual traffic being passed through the ENS Firewall to show up in a query or report. 

0 Kudos
Reply
ZGreen
Level 10
Report Inappropriate Content
Message 4 of 23
‎02-24-2020 01:07 PM

Re: Unable to receive network traffic logs on ePO server

Jump to solution

So the events are showing in the logs just not the query? If thats the case how much information are you looking for in the query?

0 Kudos
Reply
Former Member
Not applicable
Report Inappropriate Content
Message 5 of 23
‎02-25-2020 12:13 AM

Re: Unable to receive network traffic logs on ePO server

Jump to solution

Hi @JDCast11 

Thank you for posting on the Community.

What you are trying to achieve is not something recommended as it will negatively impact the performance of your clients and will overload your database with large numbers of events.

If you wish to configure the FW to report the network traffic, please see the following taken from the ENS FAQ page: KB86704

How do I configure Endpoint Security Firewall network traffic logging?
Within the Endpoint Security Firewall Options policy, enable the Log all allowed or Log all blocked options. Endpoint Security Firewall will log blocked and allowed network traffic to the \ProgramData\McAfee\Endpoint Security\Logs\FirewallEventMonitor.log file. If you want to generate ePolicy Orchestrator events for allowed or blocked network traffic, enable the Log matching traffic option in a specific firewall rule. Be aware that generic, high event-generation rules can cause performance issues. See KB90177 for more information.

NOTE: Endpoint Security Firewall log functionality does not allow for only specific firewall rules to be logged to the FirewallEventMonitor.log file. 

If you require a change to product functionality, submit a new product idea at:

https://community.mcafee.com/t5/Enterprise-Product-Ideas/idb-p/business-ideas

The Ideas forum is accessible only to McAfee business and enterprise customers. Click Sign In and enter your McAfee ServicePortal (https://support.mcafee.com) User ID and password. If you do not yet have a McAfee ServicePortal or McAfee Community account, click Register to register for a new account on either website.

For more information about product ideas, see KB60021.

NOTE: The Ideas forum replaces the previous Product Enhancement Request system.
Reply
JDCast11
Level 9
Report Inappropriate Content
Message 6 of 23
‎02-25-2020 07:53 AM

Re: Unable to receive network traffic logs on ePO server

Jump to solution

Thanks for your reply. That's what I'm having trouble with right now. My FirewallEventMonitor is logging correctly but I can't view the events on the ePO console itself which is what I was trying to do. I have selected the log matching traffic option and still have not seen any events in the actual ePO console. I understand that it will create many events but I plan to limit it to certain ports to see where traffic is blocked. Is the only way to view all network traffic to just go to the servers and pull up the FirewallEventMonitor log?

0 Kudos
Reply
Former Member
Not applicable
Report Inappropriate Content
Message 7 of 23
‎02-25-2020 08:04 AM

Re: Unable to receive network traffic logs on ePO server

Jump to solution

Hi @JDCast11 

If you look at the ENS Console, do you see the events in there or not at all?

What are your ENS and McAfee Agent policy settings set to? It's possible that the events are being generated but not forwarded. Check in ENS Common Policy what you've got set for ENSFW and in the McAfee Agent General Policy under Event Forwarding - lower the level to informational.

Indeed, we would suggest looking at the FirewallEventMonitor Log - or alternatively the best way to configure your FW is to use adaptive mode. This will then report any "would be blocked" traffic to ePO and based on these entries you can create rules to allow that traffic.  

0 Kudos
Reply
JDCast11
Level 9
Report Inappropriate Content
Message 8 of 23
‎02-25-2020 08:21 AM

Re: Unable to receive network traffic logs on ePO server

Jump to solution

Yes I have threat events from things such as Threat Prevention but not the Firewall. I just wanted to avoid having to log into every individual server to view the logs. I verified that I have All Firewall events log selected in the EndPoint Security Common and informational for the McAfee Agent. Still unable to get events. 

Test I'm running is trying to catch traffic through port 1433 from epo to sql. That is not showing up in the console but is in the local log.

0 Kudos
Reply
ZGreen
Level 10
Report Inappropriate Content
Message 9 of 23
‎02-25-2020 10:51 AM

Re: Unable to receive network traffic logs on ePO server

Jump to solution

What options do you have for ENS commons policy under event logging for firewall? Its not going to log that traffic unless you actually select all. 

0 Kudos
Reply
JDCast11
Level 9
Report Inappropriate Content
Message 10 of 23
‎02-25-2020 10:52 AM

Re: Unable to receive network traffic logs on ePO server

Jump to solution

Hey @ZGreen. Yes I have that selected and still no dice 😞

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com for Enterprise

Legal   |   Privacy   |   Copyright © 2021 Musarubra US LLC