cancel
Showing results for 
Search instead for 
Did you mean: 
andy5340
Level 9

Want to clear/reset HIP event.log via command-line

Jump to solution

When tuning firewall policies, I run a batch file to pull log files into a single, VERY LARGE text file.

I then grep it for events with a tick time newer than whatever date I last tuned logs.

I would like to find a command-line I can employ (via psexec) that will clear the log after I've collected it.

Anyone have ideas or thoughts on how to execute?

Thanks

0 Kudos
1 Solution

Accepted Solutions
McAfee Employee

Re: Want to clear/reset HIP event.log via command-line

Jump to solution

The only way I can think of is to use the HIPS ClientControl tool. 

EDIT: Clientcontrol /stop will stop the HIPS service (disabling the protection it offers the system).

  1. clientcontrol.exe /stop <password>
  2. del event.log
  3. clientcontrol.exe /start

There is no command line equivalent of a HIPS Activity log CLEAR that I'm aware of.

Message was edited by: ktankink on 11/6/13 3:25:14 PM CST
0 Kudos
5 Replies
McAfee Employee

Re: Want to clear/reset HIP event.log via command-line

Jump to solution

The only way I can think of is to use the HIPS ClientControl tool. 

EDIT: Clientcontrol /stop will stop the HIPS service (disabling the protection it offers the system).

  1. clientcontrol.exe /stop <password>
  2. del event.log
  3. clientcontrol.exe /start

There is no command line equivalent of a HIPS Activity log CLEAR that I'm aware of.

Message was edited by: ktankink on 11/6/13 3:25:14 PM CST
0 Kudos
andy5340
Level 9

Re: Want to clear/reset HIP event.log via command-line

Jump to solution

I was hoping to leverage the "clear" button on the HIP GUI. I thought that *just maybe* it used a command that we could also use via a command line or call.

I tried clientcontrol and got the error: The action can't be completed because the file is open in McAfee Host Intrusion Prevention Service"

I know the password is working because I can unlock the GUI and disable manually.

Did I miss something obvious?

0 Kudos
McAfee Employee

Re: Want to clear/reset HIP event.log via command-line

Jump to solution

I tried clientcontrol and got the error: The action can't be completed because the file is open in McAfee Host Intrusion Prevention Service"

This error occurs because the HIPS service is still running (your "ClientControl.exe /stop" didn't work.  Make sure you're running this in an Administrative: Command Prompt (not just a normal cmd.exe session), if on WinVista and higher.

You can check the C:\ProgramData\McAfee\Host Intrusion Prevention\ClientControl.log for details.

0 Kudos
andy5340
Level 9

Re: Want to clear/reset HIP event.log via command-line

Jump to solution

Of course, Thank you. I think I can make this work via a batch script.

0 Kudos

Re: Want to clear/reset HIP event.log via command-line

Jump to solution

Answer solved but not a good one.

    As a Team, we need to ensure that the HIPS ClientControl tool is readily available, integrate it into the ePO Console, or have a way to clear the HIPS Events Table through policy pushed to the managed endpoints.

*How is the HIPS ClientControl tool attained? Technical Support? Wait in Queue for something that McAfee is fully aware of, not cool!

Thank you

0 Kudos