cancel
Showing results for 
Search instead for 
Did you mean: 

ODS completed #KB69428

Hey, so i followed this article https://kc.mcafee.com/corporate/index?page=content&id=KB69428 and cant make it work with ENS 10.6.1. with May update, ePO 5.10 Update 3, agent 5.6.1.157. I believe problem is that events 1203 or 34855 are not logging or not sending to ePO even if i have all settings in policy right and i can see that ODS actually runned (there are some events that scan cannot access some files and i have checked local log). I dont see events 1203 or 34855 in ePO at all, so tags on systems cant be applied and therefore final dashboard cant work. How can i troubleshoot this? thanks

11 Replies

Re: ODS completed #KB69428

BTW i think, that there are 2 mistakes in article KB69428 and thats in 6.k:

"On the newly added second Action, select the following:"

should be 

"On the newly added THIRD Action, select the following:"

 

and again 6.k 

  • Run Query
  • Event 34855 (ENS) or Event 1035 (VSE)
  • Clear Tag
  • Scan Cancelled

should be 

  • Run Query
  • Event 34855 (ENS) or Event 1035 (VSE)
  • APPLY TAG
  • Scan Cancelled

 

not a big mistake, but for someone who is making queries and reports for a first time it could be pretty confusing.

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 3 of 12

Re: ODS completed #KB69428

Thanks, I will check out the kb.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 4 of 12

Re: ODS completed #KB69428

I made the necessary changes - it might take a couple of days to get re-published.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 5 of 12

Re: ODS completed #KB69428

Go into event filtering and verify those events are enabled.  On the client side, you can verify the clients are getting updated event filter info by viewing the evtfiltr.ini file in c:\programdata\mcafee\agent.  They should not be listed there as a disabled event.

Those events also will probably be sent on next asci instead of immediately, so make sure there are no agent-server communication errors or failures to send events. 

On the epo server side, you should check the eventparser log to ensure no issues there parsing events.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: ODS completed #KB69428

Go into event filtering and verify those events are enabled. 

- yes, enabled

On the client side, you can verify the clients are getting updated event filter info by viewing the evtfiltr.ini file in c:\programdata\mcafee\agent.  They should not be listed there as a disabled event.

this is EvtFiltr.ini - from where this list is generated? i guess 1203 shouldnt be listed here...

[EventFilter] Version=6420 AcceptEventsFromAnySource=1 DisabledEvent=1000;1001;1002;1003;1004;1005;1029;1034;1043;1044;1051;1059;1063;1064;1065;1066;1070;1087;1088;1089;1090;1100;1118;1120;1122;1200;1201;1202;1203;1204;1509;1510;1700;1701;1708;1709;1710;1711;1713;1714;1715;1716;1718;1720;1725;1726;1800;1900;2005;2015;3000;3003;3006;3009;3010;3016;3039;3048;3049;4700;4701;4702;

 

Those events also will probably be sent on next asci instead of immediately, so make sure there are no agent-server communication errors or failures to send events. 

-agent-server communication is fine

On the epo server side, you should check the eventparser log to ensure no issues there parsing events.

- how do i check this? i have checked classic windows logs and there is no related strange behavior

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 7 of 12

Re: ODS completed #KB69428

Correct, 1203 should not be in that list if it is enabled.  There was an issue with one version of epo that it wasn't getting updated unless there was a change to the event filtering in epo.  Go back to server settings, enable some random event, save it, then go back and disabled it again and then send wakeup call to client to see if things change.

The eventparser log is located in the epo install directory under db\logs.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: ODS completed #KB69428

great, changing server settings actually updated EvtFiltr.ini.

eventparser log looks also fine, so i'll let you know next week after ODS complete, if everything is alright.

thank you for now

Re: ODS completed #KB69428

So yesterday was a scan day. ODS completed tags are applied, but ODS not completed arn't. I assume its because they wasn't canceled, they didn't even started (because systems was offline).

Can i work around this somehow? Like apply tag to systems, which wasnt scanned in last week?

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 10 of 12

Re: ODS completed #KB69428

I suppose you can run a query that looks for systems that did not start a scan or doesn't have the scan completed event and then tag those systems.  Basically filter it on does not have event id (whatever ID you are looking for).

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

More McAfee Tools to Help You

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community