cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 21

Firewall events logged on workstation but not forwarded to ePO

On my dashboard I have a monitor that shows the firewall events for my workstation. Until a week or so ago it had been working fine. The monitors for my workstation no longer show any events being received however I can see the results being collected for the Domain Controllers.

I checked the Endpoint Security Module and it also shows no firewall events in the Event Log.

I can however navigate to the local folder C:\Program Data\McAfee\Endpoint Security\Logs and see the events being logged in the Firewall Activity.log file

Before I had the issue I had uninstalled the Agent on my workstation and all associated products. I re-installed it manually with a FramePkg and then all of the products were pushed out from ePO in the Product Deployment.

Is there something I missed that needs to be configured to send the logs from my local logs to ePO?

McAfee ePolicy Orchestrator McAfee Endpoint Security 

20 Replies
cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 21

Re: Firewall events logged on workstation but not forwarded to ePO

If you reinstalled the agent, are you sure there is no duplicate entry for the system in epo?  If you removed the agent or did a forceinstall, most likely it created a duplicate entry.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Former Member
Not applicable
Report Inappropriate Content
Message 3 of 21

Re: Firewall events logged on workstation but not forwarded to ePO

There is no duplicate system in the system tree if that's what you mean. When I go to my container there is only one entry for my workstation and it shows all of the policies applied to the system. 

Is there a different place I should be looking for a duplicate other than the system tree?

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 21

Re: Firewall events logged on workstation but not forwarded to ePO

No, the system tree is where it would be - at my org and choose this container and all sub containers.  If no duplicate, then follow kb53035 to pin it down.  What errors are in the eventparser log?  That is located in the epo install directory, db\logs.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Former Member
Not applicable
Report Inappropriate Content
Message 5 of 21

Re: Firewall events logged on workstation but not forwarded to ePO

I went through the KB article and I do not have a service clearly marked as McAfee Framework service. I have multiple McAfee services that are all running though. 

Also I could not find the eventparser logs. Is there a more direct file path that you could give me? 

I went to Program Data\McAfee\Agent\DB but that doesn't seem to be where you intended.

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 21

Re: Firewall events logged on workstation but not forwarded to ePO

The framework service was for older agent, now it is mcafee agent, or the masvc process.  Eventparser log is located on the epo server in the epo install directory wherever you installed it, then in the db\logs sub folders.

The agent log that would log sending events is the masvc log in programdata\mcafee\agent\logs.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Former Member
Not applicable
Report Inappropriate Content
Message 7 of 21

Re: Firewall events logged on workstation but not forwarded to ePO

In the masvc_LABPC3 log located on my workstation I have logs up to current time, as well as in the FirewallEventMonitor log. 

I logged into the ePO server and the eventparser_EPO01 log only shows one error every couple days which is mfefips_SSLSubSys.cpp(236): Error writing x amount of SSL bytes to (IP Address) (-1 returned)

Hem
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 21

Re: Firewall events logged on workstation but not forwarded to ePO

I would check if events are accumulated to \AgentEvents folder on client machine (C:\ProgramData\McAfee\Agent\AgentEvents). Do you get any error message when open Agent monitor and click 'send events'.

As suggested, I would check event parser log on ePO server (\ePO\DB\logs) for any error message while event parsing.

 

 

Former Member
Not applicable
Report Inappropriate Content
Message 9 of 21

Re: Firewall events logged on workstation but not forwarded to ePO

@Hem 

Inside the Agent Events folder there are two folders labeled "Bad" and "Upload" and then several XML files.

There is nothing in the "Bad" folder but the "Upload" folder had items in it until I clicked Send Events on the status monitor. The same thing happens to the XML files when i click Send Events so I assume that it's working correctly? 

After I send events I still have zero events on my dashboard or on the Endpoint Security Module. However when I open the Firewall_Activity log it shows events. Granted there seems to be a discrepancy with time. The local time is January 2nd 9:57 but the log is reading 2020-01-02 14:54:17

Former Member
Not applicable
Report Inappropriate Content
Message 10 of 21

Re: Firewall events logged on workstation but not forwarded to ePO

Disregard the timing issue, I just realized it's logging in Zulu.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community