Use the following process if Technical Support requests Server-side logs to investigate an issue.
- Make sure that the correct level of logging is enabled on your client.
- Log on to your ePO console.
- Click Menu, Policy, Policy Catalog.
- From the Product drop-down list, select Active Response.
- Click the General policy. Or, create a new policy.
- Click the Logger tab.
- Select the required logging level.
NOTE: For most Server issues, the Default level is sufficient, but McAfee might direct you to select a different level.
- Click Save.
- Make sure that the policy is assigned to the client.
- Send an agent wake-up call to the client.
- Run a search on the end nodes to reproduce the issue:
- Open the ePO console.
- Click Menu, McAfee Active response search.
- Run a search to reproduce the issue.
- Gather MERS:
- Obtain an MER from the client: See KB92004.
- Obtain an MER from the DXL broker with which the client communicates. See KB82851.
NOTE: To understand which DXL broker the client is communicating with:
- Click the McAfee Agent tray icon.
- Click About.
- View the McAfee Data Exchange Layer properties.
The Broker DNS name identifies the name of the Broker where the client is connected.
If your case concerns an issue with MAR policies (for example, empty policies or a failure during the change of a policy):
- Enable Orion debug on the ePO server. See KB52369.
- Reproduce the issue, either open the policy or attempt to save it, depending on the issue.
- Note the time when you successfully reproduce the issue.
- Obtain an MER from the ePO server. See KB59385.
- Gather an MER from the MAR server. See: KB87957.
If your issue is with MAR 2.3 acting as a service on the TIE platform, you need to gather MERs from the TIE server and DXL broker.
- To gather an MER from the TIE server, see KB82850.
- To gather an MER from the DXL broker, see KB82851.