5 Replies Latest reply on May 19, 2015 4:30 AM by Aidan

    Inodes saturation du to McAfee VSEL 1.9.x

    mziad.h

      Hello,

       

      We had inode saturation on the folder:

       

      /opt/McAfee/cma/scratch/AgentDB/Event/


      We upgraded VSEL from version 1.9.0 to version 1.9.1


      The problem is still persistent.


      Hard disk space is consumes by lots of txml files which are not being sent to EPO.


      We have temporarily stopped VSEL and agent service.


      The server contains mysql and exclusions are already present


      /home/databases/

      /home/databases/mysql/mysql-*[0-9]$/data/


      Can you help on this issue please?



      Thanks in advance.

       

      Ziad

        • 1. Re: Inodes saturation du to McAfee VSEL 1.9.x

          Are these files not getting sent up to ePO by the agent to detemine what exactly they are related to???

          command to send them would be

          /opt/McAfee/cma/bin/cmdagent -F

          McAfee KnowledgeBase - McAfee Agent for Linux Command Line options

          If this fails it maybe a communication issue with ePO - you'd need to check agent logging

           

          If not sent usualy you can open the txml file in editor/browser

          It should have a section with <eventid> xxxx<eventid>  where the xxxs is the event that would appear in ePO.

          Also possibly has <FileName>???????</FileName>  which would have the /<path>/<filename>

          • 2. Re: Re: Inodes saturation du to McAfee VSEL 1.9.x
            mziad.h

             

            Hello Aiden,


            Thanks for the information.

             

            As it is @that moment, the agent is not communicating with the EPO.

             

            Here's some logs from the txml file:

             

             

            <?xml version="1.0"?>

            <LinuxShieldEvent>

              <LinuxShieldSoftware ProductName="VirusScan Enterprise for Linux" ProductVersion="1.9.0.28822" ProductFamily="TVD">

                <EngineVersion Name="McAfeeEngine"></EngineVersion>

                <DatVersion></DatVersion>

                <ProductName>VirusScan Enterprise for Linux</ProductName>

                <ProductID>28</ProductID>

                <ProductVersion>1.9.0.28822</ProductVersion>

                <ProductFamily>TVD</ProductFamily>

                <DetectionInfo>

                  <EventID>1048</EventID>

                  <Severity>3</Severity>

                  <GMTTime>2015-04-30T16:11:59</GMTTime>

                  <FileName>/home/databases/tmp/#sql_314_0.MYI</FileName>

                  <VirusName></VirusName>

                  <VirusType>Unknown</VirusType>

                  <VirusDetectType>Unknown</VirusDetectType>

                  <UTCTime>2015-04-30T16:11:59</UTCTime>

                  <LocalTime>2015-04-30T18:11:59</LocalTime>

                  <TaskName>OAS</TaskName>

                </DetectionInfo>

              </LinuxShieldSoftware>

              <MachineInfo>

                <MachineName>biskot-wbdd-01</MachineName>

                <AgentGUID>{BA9ADA82-E4DC-E411-8AE7-000000000000}</AgentGUID>

                <IPAddress>172.19.59.240</IPAddress>

                <OSName>Linux</OSName>

                <UserName>mysql</UserName>

                <RawMACAddress>00:50:56:94:00:00</RawMACAddress>

              </MachineInfo>

            </LinuxShieldEvent>

             

             

             

            <?xml version="1.0"?>

            <LinuxShieldEvent>

              <LinuxShieldSoftware ProductName="VirusScan Enterprise for Linux" ProductVersion="1.9.0.28822" ProductFamily="TVD">

                <EngineVersion Name="McAfeeEngine"></EngineVersion>

                <DatVersion></DatVersion>

                <ProductName>VirusScan Enterprise for Linux</ProductName>

                <ProductID>28</ProductID>

                <ProductVersion>1.9.0.28822</ProductVersion>

                <ProductFamily>TVD</ProductFamily>

                <DetectionInfo>

                  <EventID>1048</EventID>

                  <Severity>3</Severity>

                  <GMTTime>2015-04-30T16:14:17</GMTTime>

                  <FileName>/home/databases/tmp/#sql_314_0.MYI</FileName>

                  <VirusName></VirusName>

                  <VirusType>Unknown</VirusType>

                  <VirusDetectType>Unknown</VirusDetectType>

                  <UTCTime>2015-04-30T16:14:17</UTCTime>

                  <LocalTime>2015-04-30T18:14:17</LocalTime>

                  <TaskName>OAS</TaskName>

                </DetectionInfo>

              </LinuxShieldSoftware>

              <MachineInfo>

                <MachineName>biskot-wbdd-01</MachineName>

                <AgentGUID>{BA9ADA82-E4DC-E411-8AE7-000000000000}</AgentGUID>

                <IPAddress>172.19.59.240</IPAddress>

                <OSName>Linux</OSName>

                <UserName>mysql</UserName>

                <RawMACAddress>00:50:56:94:00:00</RawMACAddress>

              </MachineInfo>

            </LinuxShieldEvent>

             

             

            <?xml version="1.0"?>

            <LinuxShieldEvent>

              <LinuxShieldSoftware ProductName="VirusScan Enterprise for Linux" ProductVersion="1.9.0.28822" ProductFamily="TVD">

                <EngineVersion Name="McAfeeEngine"></EngineVersion>

                <DatVersion></DatVersion>

                <ProductName>VirusScan Enterprise for Linux</ProductName>

                <ProductID>28</ProductID>

                <ProductVersion>1.9.0.28822</ProductVersion>

                <ProductFamily>TVD</ProductFamily>

                <DetectionInfo>

                  <EventID>1048</EventID>

                  <Severity>3</Severity>

                  <GMTTime>2015-04-30T16:26:43</GMTTime>

                  <FileName>/tmp/sess_345272a9f82666f885a4f143f785feb8</FileName>

                  <VirusName></VirusName>

                  <VirusType>Unknown</VirusType>

                  <VirusDetectType>Unknown</VirusDetectType>

                  <UTCTime>2015-04-30T16:26:43</UTCTime>

                  <LocalTime>2015-04-30T18:26:43</LocalTime>

                  <TaskName>OAS</TaskName>

                </DetectionInfo>

              </LinuxShieldSoftware>

              <MachineInfo>

                <MachineName>biskot-wbdd-01</MachineName>

                <AgentGUID>{BA9ADA82-E4DC-E411-8AE7-000000000000}</AgentGUID>

                <IPAddress>172.19.59.240</IPAddress>

                <OSName>Linux</OSName>

                <UserName>apache-80</UserName>

                <RawMACAddress>00:50:56:94:00:00</RawMACAddress>

              </MachineInfo>

            </LinuxShieldEvent>

             

            Do you think the exclusion syntax is OK for :

            /home/databases/mysql/mysql-*[0-9]$/data/


            Here's some logs from the agent put in the ticket:

             

             

            Regards,


            Ziad

            • 3. Re: Re: Inodes saturation du to McAfee VSEL 1.9.x

              Well the two files quoted in the are events are scan failures because of file being locked (so lookslike locked tmp files from mysql and possibly an apache applicatio????)

              /home/databases/tmp/#sql_314_0.MYI

              /tmp/sess_345272a9f82666f885a4f143f785feb8

               

              So the exclusion stated would not cover these since nether is in subfoldfer /home/databases/mysql/

               

              Not sure I se a problem in the agent logs - but not an expert in agent! I'll see if anyone can check this further for us.

              You mention ticket - I think you mean you have a VSEL (LXS) ticket open - do you have an Agent (MA) ticket open for ePO Comms issue in agent??

              • 4. Re: Re: Inodes saturation du to McAfee VSEL 1.9.x

                Quick Point ..... if the policies are getting from ePO.

                In Server Settings  - Event Filtering  - deselect event id 1048.

                Once Agent policy hits machine (full props wakeup call or #....cmdagent -C then #.....cmdagent -E  (Check for new policy, Enforce policy)

                This should suprees the 1048 events locally.

                • 5. Re: Re: Inodes saturation du to McAfee VSEL 1.9.x

                  More details - my  MA contact has requested advanced logging from mcafee agent to check further on reason for agent communicating

                  How to set up agent for more detailed logging

                  McAfee KnowledgeBase - How to enable debug logging for McAfee Agent for non-Windows troubleshooting

                  You could drop this to Ticket.

                   

                  Also since the version in the event you have quoted above are version 1.9.0  - it suggests possibly this agent communication has been a problem before 1.9.1 installed

                  (and maybe for quite a while as these xmls are mostly small between 1 and 2 kb)?????

                   

                  If you wanted to preserve the details in the xmls - you could actually move the xmls and txmls out of the events folder to e.g. a mounted network drive - thus freeing up space.

                  You could dump these events in batches into the <epo install folder>\ DB\Events folder

                  (Make sure you now have the VSEL 1.9.1 Reports extension in place in ePO).

                  The xmls and txmls should still get processed by eventparser.

                  (any that don't will go into debug or unknown folder)