cancel
Showing results for 
Search instead for 
Did you mean: 

Automatic Responses Not Triggering

Jump to solution

I have a AR setup to send an email whenever their is a block and the os type is server.  This was setup so we can see if something on the Servers was getting blocked we didn't want to.  This has worked fine up until about 2 weeks ago, then it just stopped.  I have verfied the smtp server is setup correctly by sending a test email to myself (which I received).  So for troubleshooting purpose, I changed it to just blocked, and no OS type and still nothing.  I was wondering were else can I look for errors to see what is stopping this.

1 Solution

Accepted Solutions
Highlighted

Re: Automatic Responses Not Triggering

Jump to solution

restart the ePO services. we had an AR setup for viruses in a certain container, the AR stopped working out of nowhere and mcafee support told us to restart the mcafee services (all 3 of them). started working thereafter.

5 Replies

Re: Automatic Responses Not Triggering

Jump to solution

Logging in this area is thin on the ground unfortunately, but the three logs to consider are: epoapsvr.log, server.log and orion.log. Specifically orion.log when debug logging is enabled for that file.

The notifications are set to sweep every 60 seconds for new triggers I believe. Debug orion logging is otherwise very noisy though.

See: KB52369 - How to enable debug logging to capture details in the Orion.log to troubleshoot console log on issues

You should at least be seeing the rules sweep every minute, and when your rule is triggered it shoud be recorded too.

Rgds,

Rob.

Re: Automatic Responses Not Triggering

Jump to solution

And the first thing would be that the events are appearing in ePO e.g. Threat event protocol or reporting.

Regards Tom

apoling
Level 14
Report Inappropriate Content
Message 4 of 6

Re: Automatic Responses Not Triggering

Jump to solution

Hi,

in addition you could check directly in the database if the events that earlier triggered this AR has or has not stopped coming.

Also, some apply IP restrictions on internal SMTP servers to stop abuse, maybe it is worth checking if the ePO server IP is on the allowed list for the SMTP server and noone did a trick with you, etc.

Attila

Highlighted

Re: Automatic Responses Not Triggering

Jump to solution

restart the ePO services. we had an AR setup for viruses in a certain container, the AR stopped working out of nowhere and mcafee support told us to restart the mcafee services (all 3 of them). started working thereafter.

whh
Level 8
Report Inappropriate Content
Message 6 of 6

Re: Automatic Responses Not Triggering

Jump to solution

Checking the orion logs is a good idea.  For my issue, I've found instances of

Error processing notification. Operation aborted.

and

Reference to unknown table:epoThreatEvent

Looks like something is whacky with the schema.

Has anyone seen this?   What was the solution?

More McAfee Tools to Help You

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community