1 of 1 people found this helpful
Logging in this area is thin on the ground unfortunately, but the three logs to consider are: epoapsvr.log, server.log and orion.log. Specifically orion.log when debug logging is enabled for that file.
The notifications are set to sweep every 60 seconds for new triggers I believe. Debug orion logging is otherwise very noisy though.
See: KB52369 - How to enable debug logging to capture details in the Orion.log to troubleshoot console log on issues
You should at least be seeing the rules sweep every minute, and when your rule is triggered it shoud be recorded too.
And the first thing would be that the events are appearing in ePO e.g. Threat event protocol or reporting.
in addition you could check directly in the database if the events that earlier triggered this AR has or has not stopped coming.
Also, some apply IP restrictions on internal SMTP servers to stop abuse, maybe it is worth checking if the ePO server IP is on the allowed list for the SMTP server and noone did a trick with you, etc.
restart the ePO services. we had an AR setup for viruses in a certain container, the AR stopped working out of nowhere and mcafee support told us to restart the mcafee services (all 3 of them). started working thereafter.
Checking the orion logs is a good idea. For my issue, I've found instances of
Error processing notification. Operation aborted.
Reference to unknown table:epoThreatEvent
Looks like something is whacky with the schema.
Has anyone seen this? What was the solution?