Am not sure what exactly are you trying to achieve here. You can monitor specific action based on Event not by task. If you would like to monitor event for On-Demand Scan start and stop, yes it is achievable. Correct me if my understanding is wrong.
Yes, sorry if i was not more specific. I would like to monitor when we Start / stop or when this specific task has finished in one place. And not trying to dig through the Server task log for the specific event. I would ideally like a dashboard to be able to give to my analysts for this specific server task
Okay. First enable below event id's from Eventfiltering ePO--> server settings. Then send a wakeup to all machines to get these event ID updated on client.
|1202||On-demand scan started||Informational|
|1203||On Demand scan complete||Informational|
Perform a test task on single machine and confirm if you are able to see the Start ID (1202)under Threat event log. If yes, then follow the below article to create a queries and reports.
Was my reply helpful?
If you find this post useful, please give it a Kudos! Also, please don't forget to select "Accept as a Solution" if this reply resolves your query!
I've looked at my host and when I kick off a "run client now" task for Policy based on-demand scan in ENS: Threat Prevention, nothing shows up in threat event log as 1202 or 1203. The only log of this shows up in server task log as the attached log I have on this thread.
Check if the event's are selected under Event filtering. Then go to the client machine and verify if the selected ID's applied in EvtFilter file from"<programdata/mcafee/agent/agentdata/". The selected ID's should not be listed.
Also you have to enable these ID's in ENS policy. Goto policy catalog-->common-->edit the policy-->show advanced-->look for the Event logging-->you have to select "ALL" under On-Demand Scan.
Once done, apply the policy to the test machine and reproduce once again. It should work.
Could i create a query for this? I used kb82149 - but did not see my on-demand scan that I created in "run client task now" nor did i find a way to sort by "Start time" etc
How often are you running scans using a run client task now? Honestly, that is not a very good idea to do and here is why. Run client task now (rctn) is designed for small number of clients and tasks that aren't of a long duration. What happens with a rctn is that epo sends this task to an agent and all the while waiting on the return status of that task for its completion. This will keep that datachannel session open the whole time a scan is running, which can make the server busy if you are running too many at a time for long periods of time. An on demand scan is much better suited as an assigned client task. If you do that, you can query based on the event id's that were mentioned by others.
That being said, you can go to queries, new query, choose logging as the feature group, then choose task log entries. From there you can filter based on the available options, such as name contains.... whatever you choose as well as filter on other available options.
The only way you can sort the output is after you actually run the query. In mine, it sorted it by start date automatically from oldest to newest. That may vary depending on parameters that you use.
Also, some query types are not suitable as a dashboard monitor, especially if it is one that would contain a bunch of rows of data. If it isn't a supported query type, you won't see it as an available query to add as a monitor in the dashboard. You might need to use a pie chart of something, but try it out first the way you want it to look.
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?