cancel
Showing results for 
Search instead for 
Did you mean: 

EPO server not triggering Automatic notification

Hi,

I have written a extension, which reads data from a partner DB and then populates event table in epo server.

I can see the new event getting listed on Threat event log page.

Now i want to send a email notification if these events occur, so i have configured a new Automatic Response, which sends email.

When ever i trigger the event , its getting listed on event logs page, but the AR is not getting triggered at all?

Need help.

Thanks,

Junaid

6 Replies
McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 2 of 7

Re: EPO server not triggering Automatic notification

Does the event have an event id?  How specifically are you configuring the response to trigger?  If you look at the orion log, it should show you information on evaluating the criteria of the response.  You can also add an additional logger for responses in the log-config.xml instead of all debug logging enabled.  See KB52369 for location of that file.

<logger name="com.mcafee.epo.notifications">

<level value="debug”/>

</logger>

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: EPO server not triggering Automatic notification

I dont have an event id, i have threat event id. I am implementing agent less event.

i have updated the log file as per your suggestion, but i do not see much difference,

the one thing which i can see is

2017-12-06 11:46:08,998 DEBUG [scheduler-InternalTask-thread-7] dispatcher.NotificationDispatcherInternalTask  - NotificationDispatcherInternalTask Running...

2017-12-06 11:46:08,998 DEBUG [scheduler-InternalTask-thread-7] dispatcher.ThreatNotification  - Begin execute: currentTimeMillis= 1512540968998

2017-12-06 11:46:09,014 DEBUG [scheduler-InternalTask-thread-7] dispatcher.ThreatNotification  - Done getting new events: currentTimeMillis= 1512540969014

2017-12-06 11:46:09,019 INFO  [scheduler-InternalTask-thread-7] dispatcher.ThreatNotification  - Dispatched events: 0

2017-12-06 11:46:09,020 DEBUG [scheduler-InternalTask-thread-7] dispatcher.ThreatNotification  - End execute: currentTimeMillis= 1512540969020

2017-12-06 11:46:09,028 INFO  [scheduler-InternalTask-thread-7] dispatcher.StatusNotification  - No events to dispatch

Does the log file help in resolving the issue.

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 4 of 7

Re: EPO server not triggering Automatic notification

no, go ahead and remove that logger and enable normal debug logging for orion per kb52369.  Once enabled, generate an event that should trigger the response.  Then check the orion log for it evaluating the criteria for triggering or not.  You can attach the orion log if you like.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: EPO server not triggering Automatic notification

I did enable the log.

My automatic response name is acalvio123.

when i restart my epo server, i can see the following log line

"2017-12-06 16:55:36,540 DEBUG [main] impl.RuleServiceImpl  - Rule 'Acalvio123' will not be returned for the following reason(s): The Event Type is not registered: epoThreatEvent."

I can see the event getting listed on events log page, but the auto response is not triggering

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 6 of 7

Re: EPO server not triggering Automatic notification

it needs to be registered as an event - how specifically are you creating the event?  Does it have an event ID that shows up in the event filtering list in server settings?  If not, it may not trigger.  You might want to post on the McAfee open source or tool exchange forum to get assistance with creating your extension that defines the event.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

McAfee Employee JoeBidgood
McAfee Employee
Report Inappropriate Content
Message 7 of 7

Re: EPO server not triggering Automatic notification

If you create a rule for a different event, does it trigger correctly? For example a threat detection event for the EICAR test? There may be a problem with ARs in general as opposed to your specific extension.

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support
  • The McAfee ePO Support Center Plug-in is now available in the Software Manager. Follow the instructions in the Product Guide for more.