How to enable debug logging for MVISION EDR

Technical Articles ID: KB94346
Last Modified: 8/12/2021

McAfee MVISION Endpoint Detection and Response (EDR) 3.x

This article describes how you can enable debug logging for EDR and how to verify that it's enabled.

How to enable debug logging for EDR:

In ePO, go to Policy Catalog.
Select MVISION EDR.
Duplicate the policy named My Default or the current policy used by the endpoint.
Edit the new policy that you created in step 3:
1. In Trace tab, change Log Level to Debug.
2. On the Logger tab, set Buffer size to 1 and Level to Debug.
Save the policy and apply it to the client.

Optional:

During debugging, Support might need a copy of the databases on the EDR client. To get a copy, deselect Data Folder Protection in the General tab.
The EDR 3.2 extension also adds the ability to increase the log size of Marlog.log (in the Logging tab).

How to verify that Debug logging is enabled:

For Mar.log:

View the EDR mar.log:
- Windows: %PROGRAMDATA%\McAfee\Mar\data
- Linux: /var/McAfee/mvedr/data
- macOS: /private/var/McAfee/mvedr/data
Look for the word DEBUG near the end of the log as the log is viewed from the bottom up.

For Trace.log:

View the EDR trace.log:
- Windows: %PROGRAMDATA%\McAfee\Mar\data
- Linux: /var/McAfee/mvedr/data
- macOS: /private/var/McAfee/mvedr/data
Look for the word DEBUG near the end of the log as the log is viewed bottom up.

Optional:

Database files not protected:

Verify that you can open and view config.dat with the text file editor (data is in JSON format).
Verify you can open extra DB Files (File_Hash.db, Nflow.db, and Trace.db) with SQL light.

Database and Data location:

Review config.dat and verify that the Logger and Trace log levels are set to log level 1 (debug):

Edit the \ProgramData\McAfee\MAR\data\config.dat file with a text editor. To open this file, verify if the Enable data folder protection option is disabled in the EDR Policy under the General tab.
Review the "log_level" values for MarLogger and Trace:
- MarLogger:
  {"buffer_size":"20","log_level":"1","log_path":"","
- TraceScanner:
  {"bulk_time":"30","cairo_topic_compressed":"/mcafee/bridge/traceEventCompressed",
  "cairo_topic_uncompressed":"/mcafee/bridge/traceEvent","compression":"true","disabled_rules":"","disabled_rules_by_internal_tag"
  :"2147483644","enabled":"true","ignored_process":"","injectcore_enabled":"true","log_level":"1"

MVISION EDR - All Versions

This article is available in the following languages:

Knowledge Center