I recently called into McAfee support and had them help me set up some user defined access protection rules. The tech pointed me to the log but after further review its only the log for the local server. We put these rules into report mode and I do not know where to find the logs so I could see what would be blocked if they were in block mode. Where would I be able to find the logs to see what would be blocked if these rules we created were turned on?
I know where to get the local results from the server. I can see what would be blocked on the server locally. What I am looking for is where I see the logs for the clients. Where are the logs for the clients collected and placed on the server. I need to know what is being blocked on the clients for the user defined rules. I don't want to go to 3000 clients and see what is being blocked on each one. I want to go to the server and see what is being blocked on the clients. Where are the logs for the clients access protection rules on the server?
Well, you will no be able to get the log in the server. You can from ePO create an automated response to receive emails when an AP event is triggered (what I do not recommend you as you will be flooded with emails). You could check McAfee SIEM which may give you the functionality that you are looking for.
This is an example how to create one for the event 1203 (On demmand scan complete)
You should do the same but for the event 1095.
Please, make sure that you have this event enables. To do that please login in your ePO and then go to Menu - Configuration Server configuration and then select the option event filter. Please make sure that you have the event 1095 tick.