The update process is handed off to the installed McAfee Agent/CMA
4.8.x agent - /opt/McAfee/cma/scratch/etc - files, log, log.x and mcscript.log
5.0.x agent - /var/McAfee/logs - masvc and mcscript logs
So do I need to check the client logs (Linux)? Or should I check the servers logs (Windows Server 2k8)?
Also since DAT updates seem to be a completely random thing what would be the best way to find a failure in the logs? Can I log into the client and tell it to pull DAT updates manually then watch the logs?
If not ePO managed and they have not adjusted defaylt task or created new Update Task - it will run every night at 12 midnight.
If ePO managed and ePO agent or product update tasks are applied - then they will run on that schedule.
Check /opt/NAI/LinuxShield/bin/nails task -l
This will list available tasks - the first one is 1. LinuxShield Update Task
Run this with /opt/NAI/LinuxShield/bin/nails task -r 1
The logs will record the failure based on time you/they run the task . I don't know if you can post failures, send via PM or open SR with support so they can be examined.