Troubleshooting McAfee Active Response triggers and reactions

Technical Articles ID: KB85431
Last Modified: 2021-03-08 20:38:11 Etc/GMT

Environment

McAfee Active Response (MAR) 2.x

Summary

This article describes the recommended troubleshooting steps for several common failure scenarios with Active Response triggers and reactions.

The trigger is not saved when clicking the Save button (after a successful Save, you should be returned to the Active Response Catalog)
The trigger creation page is not shown
The trigger is not executed on the endpoint
The trigger could not be modified after saving in the editing mode
The trigger arguments mapping have suddenly changed
The trigger could not be deleted
The reaction is not saved when clicking the Save button (after a successful Save, you should be returned to the Active Response Catalog)
The reaction creation page is not shown
The reaction is not executed when the trigger is triggered
The reaction is not executed when applied from the search results

The trigger is not saved when clicking the Save button (after a successful Save, you should be returned to the Active Response Catalog):
1. Review the Active Response server log and confirm whether the trigger is created.
  1. Open the Active Response server log at /opt/McAfee/marserver/apachetomcat/logs/catalina.out.
  2. Check for a trigger creation entry in the log. Expect the trigger creation to be logged in a JSON format. In the following example, the trigger name is TestTrigger2:
    
    (24 Jul 2015 18:40:11 DEBUG TriggerManagerImpl - Trigger: {"catalogVersion":0,"dbVersion":0,"id":"55b2868be4b0f0f27a5e54de","name":"TestTrigger2" ...})
    
    If there is not a trigger creation entry in the log, it means that the request is not arriving at the Active Response server. So, the problem could be in the ePO server. Continue to step 2.
2. Review the Orion log on the ePO server and check for any problems.
  1. On the ePO server, open the Orion log at $EPO_HOME\Server\logs\orion.log.
  2. Review entries in the log containing words like "exception", "error", and "TriggerAction" to try to determine the cause of the problem.
The trigger creation page is not shown:
1. Verify that the Active Response service is running.
  - Type the following command and check the status of the Active Response service:
    
    sudo service marserver status
  - Review the Active Response server log and check whether the Active Response service is running.
    1. Open the Active Response server log at /opt/McAfee/marserver/apachetomcat/logs/catalina.out.
    2. Verify that the log shows recent activity; activity indicates that the Active Response service is running.
2. Verify that the following Active Response extensions are installed:
  - Mar-client
  - Mar-license
  - Mar-ui
  - Mar-server
The trigger is not executed on the endpoint:
1. Review the Threat Event log on the ePO console at Menu, Reporting, Threat Event Log to confirm whether the trigger has been executed.
  
  NOTE: Threat Event log updates depend on McAfee Agent, so this step can't be performed in real time.
2. Verify whether the config.dat "enable_triggers" must be "true". The config.dat contains the current policy configuration of the endpoint. It is located in the folder C:\ProgramData\McAfee\MAR\data on a Windows endpoint or /var/McAfee/Mar/data/ on a Linux endpoint. If it is true and the trigger is not being executed, continue to step 3.
3. Review the Active Response client log on the endpoint and confirm whether the trigger update has been received.
  1. Enable the Active Response client log on the endpoint where you want the trigger to be executed.
  2. Disable and enable again the trigger so that this action can be registered in the Active Response client log. (Or, update the exposure of the trigger.)
  3. Open the Active Response client log at c:/ProgramData/McAfee/MAR/data/marlog.log.
  4. Check for a trigger update entry in the log stating Incoming message from connection similar to the following example. If the trigger update did not arrive at the endpoint, continue to step 4.
    
    Figure 1: Trigger setting process
    
    NOTES:
    - The line Incoming message from indicates the trigger named SartCalc was received.
    - The line Set Trigger Event indicates the trigger SartCalc was registered.
    - You can see the trigger ID.
4. Review the Active Response server log and determine the location of the problem.
  1. Open the Active Response server log at /opt/McAfee/marserver/apachetomcat/logs/catalina.out or view the last part of the log using the command tail -f /opt/McAfee/marserver/apachetomcat/logs/catalina.out.
  2. Check for an entry in the log stating Sending trigger for rule similar to the following example. If you find this entry, the problem might be in the Data Exchange Layer (DXL) connection. So, verify the status of the DXL service; otherwise there is a problem between the extension and the DXL service.
    
    Figure 2: Sending a trigger to the client endpoints
    
    NOTE: In this example, a trigger named SartCalc is sent to the client endpoints.

The trigger could not be modified after saving in the editing mode:

Validate that the trigger has not been deleted from another session while being updated.

The trigger arguments mapping have suddenly changed:

Validate that the related reaction has not been modified (arguments have changed).

The trigger could not be deleted:

Validate that the trigger has not been previously deleted from another session.

The reaction is not saved when clicking the Save button (after a successful Save, you should be returned to the Active Response Catalog):
1. Review the Active Response server log and confirm whether the reaction is created.
  1. Open the Active Response server log at /opt/McAfee/marserver/apachetomcat/logs/catalina.out.
  2. If you do not see any error or exception in the log and the Active Response server is running, it means that the request is not arriving at the Active Response server. So, the problem could be in the ePO server. Continue to step 2.
2. Review the Orion log on the ePO server and check for any problems.
  1. On the ePO server, open the Orion log at $EPO_HOME\Server\logs\orion.log.
  2. Review entries in the log containing words like "exception", "error", and "ReactionAction" to try to determine the cause of the problem.
The reaction creation page is not shown:
1. Verify that the Active Response service is running.
  - Type the following command and check the status of the Active Response service:
    
    sudo service marserver status
  - Review the Active Response server log and check whether the Active Response service is running.
    1. Open the Active Response server log at /opt/McAfee/marserver/apachetomcat/logs/catalina.out.
    2. Verify the log shows recent activity; activity indicates that the Active Response service is running.
2. Verify that the following Active Response extensions are installed:
  - Mar-client
  - Mar-license
  - Mar-server
  - Mar-ui
The reaction is not executed when the trigger is triggered:
1. Review the Threat Event log on the ePO console at Menu, Reporting, Threat Event Log to confirm whether the reaction has been executed. A reaction that has been executed might be a "failed" reaction. A failed reaction is a reaction that has been executed, but has failed for some reason, such as the reaction content itself.
  
  NOTE: Threat Event log updates depend on McAfee Agent, so this step can't be performed in real time.
2. Verify whether the content of reaction is valid and correct:
  1. Review the reaction's catalog and confirm that the reaction has not been modified by another user.
  2. Confirm that the reaction content is correct. If it has arguments, confirm they are added in the argument's table and their names are identical.
3. Review the Active Response client log on the endpoint. Confirm whether the related trigger was triggered and whether its reaction was executed.
  1. Check whether the Active Response client log is enabled on the endpoint where the reaction must be executed:
    - If enabled, continue to step c.
    - If disabled, enable the Active Response client log.
  2. Make the trigger with the related reaction occur again so that these actions can be registered in the Active Response client log.
  3. Open the Active Response client log at c:/ProgramData/McAfee/MAR/data/marlog.log.
  4. Check for entries in the log stating trigger event and Processing query similar to the following example.
    - If the trigger was not triggered, there is a problem with the trigger. See The trigger is not executed on the endpoint above.
    - If there is an Error detected error in the reaction execution, there is some problem with the execution of this reaction for that endpoint. Send Engineering the Active Response client log file.
    Figure 3: Trigger event triggered and reaction execution process
    
    NOTES:
    - The first line trigger event indicates that one trigger was triggered.
    - The line Processing query executes the reaction associated with the trigger.
    - If the reaction could not be executed, you see the line Error detected.
    - The last line Sending Trigger event notifies the Active Response service that the trigger event occurred. It also contains the result of the reaction execution (true or false).
The reaction is not executed when applied from the search results:
1. Enable the Active Response client log on the endpoint where the reaction did not execute.
2. Attempt to execute the reaction again from the search results so that this action can be registered in the Active Response client log.
3. Open the Active Response client log at c:/ProgramData/McAfee/MAR/data/marlog.log.
4. Check for an entry in the log stating Incoming message from connection similar to the following example.
  - If the reaction did not arrive at the endpoint, continue to step 5.
  - If there is an Error detected error in the reaction execution, there is some problem with the execution of this reaction for that endpoint. Send Engineering the Active Response client log file.
  Figure 4: Reaction execution process
  
  NOTES:
  - The line Incoming message from indicates that a reaction named ReactionName was received.
  - The line Processing query executes the reaction received.
  - If the reaction could not be executed, you see the line: Error detected.
5. Review the Active Response server log and determine the location of the problem.
  1. Open the Active Response server log at /opt/McAfee/marserver/apachetomcat/logs/catalina.out or view the last part of the log using the command tail -f /opt/McAfee/marserver/apachetomcat/logs/catalina.out.
  2. Check for an entry in the log stating Starting execution of reaction. If you see an entry in the log stating Sending trigger for rule similar to the second example below, the problem might be in the Data Exchange Layer (DXL) connection. So, verify the status of the DXL service; otherwise there is a problem between the extension and the DXL service.
    
    Figure 5: Sending a reaction to the client endpoints
    
    NOTE: In this example, a reaction named ReactionName is sent to the client endpoints.
    
    Figure 6: Sending a trigger to the client endpoints
    
    NOTE: In this example, a trigger named SartCalc is sent to the client endpoints.

Affected Products

Languages:

This article is available in the following languages:

Knowledge Center

Troubleshooting McAfee Active Response triggers and reactions

Environment

Summary

Affected Products

Languages:

Title

Title

Knowledge Center

Troubleshooting McAfee Active Response triggers and reactions

Environment

Summary

Affected Products

Languages:

Choose your region

Title

Title