5 Replies Latest reply: Feb 14, 2013 10:27 AM by Kary Tankink RSS

    auotmated log generation for HIPS  8

    schalterschorsch

      Hello,

       

      as a part of local IT second level i am automating the collection of logfiles for several issues

      we are encountering.  

      As i found the Logs located in "C:\ProgramData\McAfee\Host Intrusion Prevention" are not

      as detailled as we need them to be.

      sometimes it is neccecary to collect the detailled logs from the HostIntrusioinPrevention.

       

      Until now we do the following by hand to collect the logs:

      - manage Features / HIPS

      --> toogle to the activity-log and press "export"

       

      How can i do that log export automated ?

       

       

      Thanks and Best Regards

        • 1. Re: auotmated log generation for HIPS  8
          Kary Tankink

          PD23014 - Host Intrusion Prevention 8.0 ClientControl.exe Utility Readme

          Exporting the Host IPS Activity Log to a text file.

          1. Open a command shell.

          2. Run clientcontrol.exe /export <path of export file>

          3. Copy the exported log file to another computer for collection, analysis, etc.

          • 2. Re: auotmated log generation for HIPS  8
            schalterschorsch

            Hello Kary,

             

            thank you for your suggestion.

            The logs are both containing information about the hips- however the way it is displayed is different.

             

            here is one entry from the mcafeefirelog.txt from the desktop - manually exported

             

            Time:     11.02.2013 08:42:34

            Event:     Traffic

            IP Address/User:     10.18.212.173

            Message:     Blocked Incoming UDP -  Source 10.18.212.173 :  (17500)  Destination 255.255.255.255 :  (17500)

            Matched Rule:     Block All Traffic

             

            and here is one exported with clientcontrol.exe

             

            Time:             11.02.2013 09:08:43

            Event Type:         Traffic

            IP Address:         10.18.212.189

            Sniffer CAP:        

            Rule ID:        

            Protocol:         17

            Local IP Address:     255.255.255.255

            Local Port:         43440

            Remote IP Address:     10.18.212.189

            Remote Port:         50661

            Inbound:         True

            Permit:             False

            Process ID:         0

            Path:            

            Description:         Block All Traffic

             

             

            Unfortunately the exported file is not as good to read as the manually exported one.

            Another issue i found is that the entries you gain are not the same. 

            I could not find the same entries for the same time in both logs for that example i posted above.

             

            Rgds

             

            Schorsch

            • 3. Re: auotmated log generation for HIPS  8
              Kary Tankink

              This is correct.  The McAfeeFireLog.txt (your first example; non-ClientControl log) has no automated export process; it must be manually exported by clicking on the EXPORT option in the Host IPS Client UI.

              • 4. Re: auotmated log generation for HIPS  8
                schalterschorsch

                Hello Kary,

                 

                it would be great if such a feature could be implemented in the future- that could save me a lot of work

                 

                Thanks for your answer

                • 5. Re: auotmated log generation for HIPS  8
                  Kary Tankink

                  Please submit a PER if you'd like to request functionality in a future product version.

                   

                  KB60021 - Information about Product Enhancement Requests for McAfee products

                  https://kc.mcafee.com/corporate/index?page=content&id=KB60021