We are running McAfee ePO 4.6.6 and HDLP 9.1.210.1 and the SmartConnector is the latest - 4.07.

I will try your suggestions. Thanks for the response.

Question - How are you filtering on just the epoproductevents to report on versions of ePO and DATS?

Nick

Which version of the connector are you using? I think the latest is actually 6.0.6.6865.0

6.07

Nick Gerbino | Senior Information Security Analyst | CISSP

CarMax, Inc. | 12800 Tuckahoe Creek Parkway, Richmond, Virginia 23238

Office: (804) 747-0422 x6224 | Mobile: (804) 839-9987

Email: Nick_J_Gerbino@carmax.com

I did as suggested and did not see any error messages in the agent.log or agent.out.wrapper log files. I can see in the agent.out.wrapper log file where it is connecting the ePO database and detecting versions of the products were are running.

Nick,

What I like to do in these instances is look through the agent.log and find the select query that the connector is using to retrieve the events. I then go into SQL Server management studio and run that query on the appropriate DB/Tables to see if it returns anything. This ensures that the tables the connector's setup to look at are actually populated, so you can then rule out database problems or actual ePO issues which might result in no (recent) events.

Often times I've found that even though the ePO modules are installed and the tables exist in the DB, they may not necessarily be utilized by the ePO admins, so there just aren't any events.

You should be able to find the select query somewhere early in the log when the connect is first started. You'll see a query that selects some sort of row ID to get the database version and then you should see one that actually is selecting events based off of a variable like time or ID.

Hi Nick,

Any luck on getting the McAfee DAT version? I'm running logger 5.5.0.7067.1 and connector 7.0.7.7279.0 and I'm having the same problem. Our ePO is running 5.1 and VSE is version 8.8. Field mapping for DAT version according to the Arcsight documentation is not giving me any information. My device custom string values are giving me the followings:

Device Custom String 4: OAS

Device Custom String 4 Label: Analyzer Detection Method

Device Custom String 6: Blank

Device Custom String 6 Label: DATVersion (but no version number)

Any suggestions are greatly appreciated.

Paul

Paul

Yes. We getting the DAT version in the Device Version field.
Connector is 6.4.0.6661.0

ePO is 4.6.8

VSE is 8.8

Hope this helps

Hi Nick,

Thank you very much for your quick reply. However, I’m seeing the following in my logger, any suggestion? I had restarted the Smart connector.

Regards

Paul

Hi Nick,

Thank you very much for your quick reply. However, I’m seeing the following in my logger, any suggestion? I had restarted the Smart connector.

Regards

Paul

Paul

I think I see where our disconnect is. What ePO events are you looking at?

I get the data for DAT correctly when looking at an event Name is "Update Task".

Hi Nick,

Thanks again for your reply. I couldn't see any "update task" under event "Name". I'm only seeing "Port blocking rule violation detected and NOT blocked" and "Access protection rule violationdetected and NOT blocked" categories. Did I missed something in the SmartConnector configuration?

Best regards

Paul

Paul

In your connector configuration, do you have the "event types" set to include epoproductevents?  This is on the Connector Appliance under Manage and looking at the ePO Connector.

Hi Nick,

I did. I had selected the following 4 items:

virusscan

eporollup

epoproductevents

solidcore

Thanks again

Paul