Hi, this is my setup (clean install of ePo server (not an upgrade, this is a new installation altogether)
ePO Build: ePolicy Orchestrator 5.0.0 (Build: 1160)
McAfee Agent 4.8.0.641
McAfee Viruscan Entreprise 8.8.0(1128)
I installed ePo 5.0 on a Windows 2012 server and installed the Agent on a couple of workstations to get things going. I wanted to see how reporting works so I triggered a threat event on my workstation with Eicar. I got the alert on screen and I went to the server only to see that it didn't show on it. So I read a bit about the process of a threat detection event locally all trough the way to the server.
I can see events building in the C:\ProgramData\McAfee\Common Framework\AgentEvents directory. If I manually send them trough the Agent Monitor, they apparently get processed and deleted from the directory. However, when I go to he ePo server's Threat Event Log, I don't see anything there.
Am I missing something? Do I need a special extension to process the threat events?
[edit] I will add that I checked the 'Event Filtering' option under 'Server Configuration' on the ePo server and everything seemed checked and ok.
Message was edited by: kkspike on 11/04/13 10:39:08 CDT AMSolved! Go to Solution.
Thanks for your quick reply, guys, here is the evenparser.log file. I notice I see a couple of these lines
Skipping <VirusDetectionEvent>, no plugin available.
So I assume there is something I'm mssing. I remember trying to add VIRUSCANREPORTS120(183).zip as an extension but it told me that it wasn't compatible with ePo 5.0. I assumed that it was only needed in ePo 4.x. Could that be it?
[edit] There you go! I imported the latest versions of VIRUSCAN8800(348).zip and VIRUSCANREPORTS120(228).zip and everything started working. Thanks for the tip!
Message was edited by: kkspike on 11/04/13 12:31:48 CDT PMHi
On epo could you check here for events , from client Events folder events are placed here first by apache.
C:\Default directory\McAfee\ePolicy Orchestrator\DB\Events
thnks
Check the eventparser log on the ePO server - attach it here if you'd like us to have a look. I'd guess that the events are getting as far as ePO but not making it into the database - this is usually a problem with the event parser and / or the reporting extensions for the various products.
Thanks -
Joe
Thanks for your quick reply, guys, here is the evenparser.log file. I notice I see a couple of these lines
Skipping <VirusDetectionEvent>, no plugin available.
So I assume there is something I'm mssing. I remember trying to add VIRUSCANREPORTS120(183).zip as an extension but it told me that it wasn't compatible with ePo 5.0. I assumed that it was only needed in ePo 4.x. Could that be it?
[edit] There you go! I imported the latest versions of VIRUSCAN8800(348).zip and VIRUSCANREPORTS120(228).zip and everything started working. Thanks for the tip!
Message was edited by: kkspike on 11/04/13 12:31:48 CDT PMNo problem, glad it's OK now
Joe
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA