cancel
Showing results for 
Search instead for 
Did you mean: 

Re: Pulling HIPS Firewall client logs remotely

If you have a software deployment tool that you use to push software out to workstations, I would think you could create a package to run the command that way.  Send the package to your workstations and they run the utility and export the log.

Highlighted

Re: Pulling HIPS Firewall client logs remotely

you could also do this simply with psexec assuming you have the correct permissions on the box:

psexec \\machinename -f -c clientcontrol.exe /export c:\temp\hips.txt

Re: Pulling HIPS Firewall client logs remotely

This might be a little old and definitely not sexy, but it will work.

This assumes you have access to psexec and your working directory is C:\ePO\scripts\FirewallLogs

Create and place the following in your working directory:

Create a host file (host.txt). Populate it with host names or IP's you need to collect logs from

Create a bat file, call it fwstart.bat. in this file, place the following:

@echo off

for /f %%x in (hosts.txt) do call eventlog.bat %%x

Now create eventlog.bat

In this file place the following:

@echo off

set COMPNAME=%1

REM Check if machine is alive

ping -n 1 %COMPNAME%

REM If machine doesn't answer ping jump to end

if errorlevel 1 goto fail

C:\ePO\scripts\FirewallLogs\psexec \\%COMPNAME% findstr /I ":" "C:\Documents and Settings\All Users\Application Data\McAfee\Host Intrusion Prevention\event.log" >> C:\ePO\scripts\FirewallLogs\eventlogs.txt

goto end

REM Take care of failed stuff

:fail

echo "Couldn't find the system"

:end

This can make a very large eventlog.txt file. I use windows-based grep to segregate out the "7" (firewall activity) and pull the ports I'm interested in viewing

You can do the whole thing or just look at all firewall events by removing the 2nd grep sequence.

The 6/8/9/10 is the event type followed by a character (didn't bother to recreate TAB in regex), followed by McAfee's obfuscated timestamp.

20480 is McAfeeSpeak for port 80 and 47873 is port 443. Change as you need.

c:\"program files\grep\grep" -v "\(6\|8\|9\|10\).\(12\|13\)" C:\ePO\scripts\FirewallLogs\eventlogs.txt |c:\grep\grep "\(20480\|47873\)" >>interestingports.txt

Recommend you use Excel to pull interestingports.txt and get rid of your redundancies

Hope this helps

arem
Level 7
Report Inappropriate Content
Message 14 of 15

Re: Pulling HIPS Firewall client logs remotely

Yes, that does help, i've been looking at doing something like this, but i've been investigating deploying a scheduled task to all the windows pcs which runs the clientcontrol utility command.

I really wish that Mcafee would spend some resourcing to do this properly, if the clientcontrol utility is now part of HIP then i dont see why we cant have HIP activity logs controlled and uploaded to ePO as a matter of course

Re: Pulling HIPS Firewall client logs remotely

Not sure what you ever did with this, but there is an approved add-on called cloud hash security for the ePO. It's a lot faster than the manual method below.

We wrote a couple basic scripts to remotely pull event logs from hosts. We did not pull back to the ePO because that made no sense with this method. We just pulled back to the managing workstation.

We created a list of hosts to interrogate (name or IP).

Since we have poor script-writing skills, we wrote 2 batch files:

1st

Named dmstarter.bat

@echo off

for /f %%x in (hosts.txt) do call DataMine.bat %%x

This justs reads the hostfile and kicks off the collection for each one.

2nd

Named DataMine.bat

@echo off

set COMPNAME=%1

:: Check if machine is alive

ping -n 1 %COMPNAME%

:: If machine doesn't answer ping jump to end

if errorlevel 1 goto fail

E:\ePO\Scripts\psexec \\%COMPNAME% findstr /I ":" "C:\Documents and Settings\All Users\Application Data\McAfee\Host Intrusion Prevention\event.log" >> E:\ePO\Scripts\datamine\datamine.txt

goto end

:: Take care of failed stuff

:fail

echo "Couldn't ping the system, is this thing on?"

:end

After that, I grep'd datamine.txt for event type 7, imported to Excel and removed duplicates. I now have a list of logged or blocked ports and applications (whatever the firewall was configured for).

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator