No sistema gerenciado MVISION ePolicy Orchestrator (ePO), os rastreamentos MVISION EDR podem ser enviados com registro de depuração DXLClient.
DXL Client: É um componente integrado TA.
Execute as etapas abaixo para ativar o registro de depuração DXLClient:
- Abra o Catálogo de políticas e clique em McAfee DXL Client.
- Abra a política do cliente DXL.
- No painel esquerdo, clique em Configurações de log do cliente.
- Selecione a opção Ativar log de depuração e clique em Salvar.
- Aplique a política.
Os arquivos de configuração do cliente DXL são os seguintes:
- DXL_local.config
Este arquivo é usado apenas no ambiente MVISION ePO e nos sistemas instalados com o DXL local broker.
- DXL_property.config
Este arquivo contém as informações do corretor DXL, informações do certificado corretor DXL, URL da nuvem EDR e ID e porta do corretor DXL.
Envios de rastreamento MVISION EDR: o agente MVISION EDR envia os rastreamentos do cliente por meio do componente DXL Client.
Este artigo explica sobre o log de depuração do cliente DXL para os envios de EDR.
As declarações abaixo estão registradas no arquivo
dxl_service.log (
C:\ProgramData\McAfee\Data_Exchange_Layer\):
2022-06-20 12:03:06.217 [P15][Debug] DxlState: topic override proto version = 1
2022-06-20 12:03:06.217 [P15][Debug] DxlState: topic override version = 507
2022-06-20 12:03:06.217 [P15][Debug] DxlState: map size = 8
2022-06-20 12:03:06.217 [P15][Debug] DxlState: key = /mcafee/bridge/traceDataCompressed
2022-06-20 12:03:06.217 [P15][Debug] DxlState: value = traceDataCompressed
2022-06-20 12:03:06.217 [P15][Debug] DxlState: key = /mcafee/bridge/traceEventCompressed
2022-06-20 12:03:06.217 [P15][Debug] DxlState: value = traceEventCompressed
2022-06-20 12:03:06.217 [P15][Debug] DxlState: key = /mcafee/mar/agent/syncDataRequest
2022-06-20 12:03:06.217 [P15][Debug] DxlState: value = syncDataRequest
2022-06-20 12:03:06.217 [P15][Debug] DxlState: key = /mcafee/mar/aggSearchResult
2022-06-20 12:03:06.217 [P15][Debug] DxlState: value = aggSearchResult
2022-06-20 12:03:06.217 [P15][Debug] DxlState: key = /mcafee/mar/aggSearchResultCompressed
2022-06-20 12:03:06.217 [P15][Debug] DxlState: value = aggSearchResultCompressed
2022-06-20 12:03:06.217 [P15][Debug] DxlState: key = /mcafee/mar/aggSearchResultErrors
2022-06-20 12:03:06.217 [P15][Debug] DxlState: value = aggSearchResultErrors
2022-06-20 12:03:06.217 [P15][Debug] DxlState: key = /mcafee/mar/reactionResult
2022-06-20 12:03:06.217 [P15][Debug] DxlState: value = reactionResult
2022-06-20 12:03:06.217 [P15][Debug] DxlState: key = /mcafee/mar/reactionResultErrors
2022-06-20 12:03:06.217 [P15][Debug] DxlState: value = reactionResultErrors
2022-06-20 12:03:06.217 [P15][Debug] DxlState: decode string 'Ac0B-9oANWh0dHBzOi8vYXBpLnNvYy5tY2FmZWUuY29tL2Nsb3VkcHJveHkvZGF0YWJ1cy9wcm9kdWNl'
2022-06-20 12:03:06.217 [P15][Debug] DxlState: url proto version = 1
2022-06-20 12:03:06.217 [P15][Debug] DxlState: url = https://api.soc.mcafee.com/cloudproxy/databus/produce
2022-06-20 12:03:22.197 [P0][Debug] DxlMsgBusWorker: on_request called
2022-06-20 12:03:22.197 [P0][Debug] DxlMsgBusWorker: on_request: topic '/mcafee/bridge/traceEventCompressed' serviceId '' timeout '10000' corrid 'a90eac01-643e-4111-8839-54cb8a510fbf'
2022-06-20 12:03:22.197 [P0][Debug] DxlMsgBusWorker: sendCloudEvent destination topic /mcafee/bridge/traceEventCompressed
2022-06-20 12:03:22.197 [P16][Debug] DxlMsgBusWorker: m_cloudTokenTime 1655718940658637 timediff 461539240 m_cloudTokenTTL 600000000
2022-06-20 12:03:22.197 [P16][Debug] DxlMsgBusWorker: process cloud event topic traceEventCompressed
2022-06-20 12:03:22.197 [P16][Debug] DxlMsgBusWorker: encoded str:
2022-06-20 12:03:22.197 [P16][Debug] DxlMsgBusWorker: payload string: {"byteCount":4236,"records":[{"message":{"headers":{"sourceId":"
"routingData":{"topic":"traceEventCompressed"}}]}
2022-06-20 12:03:22.197 [P16][Debug] DxlMsgBusWorker: caPath = C:\ProgramData\McAfee\Data_Exchange_Layer\cloud_cacerts.cer
2022-06-20 12:03:22.197 [P16][Debug] DxlMsgBusWorker: payload size: 4405
2022-06-20 12:03:23.004 [P16][Debug] DxlMsgBusWorker: cloud send succeeded
2022-06-20 12:03:23.004 [P16][Debug] DxlMsgBusWorker: rcode 204
2022-06-20 12:03:23.004 [P16][Debug] DxlMsgBusWorker: rawlen = 0 rawdata =
2022-06-20 12:03:23.004 [P16][Debug] DxlMsgBusWorker: postCloudResponse called
O MVISION EDR Client envia uma mensagem ou rastreamento no tópico DXL:
"/mcafee/bridge/traceEventCompressed."
Como esta ação
"/mcafee/bridge/traceEventCompressed" faz parte da lista de substituição, o os dados são enviados diretamente para
https://api.soc.mcafee.com/cloudproxy/databus/produce. O código de resposta recebido é
204 e o log mostra a mensagem
"Cloud Send Succeeded."
As informações do tópico para envios de EDR são atualizadas no arquivo
DXL_property.config conforme abaixo:
TopicOverrides= Acz4CNoAIi9tY2FmZWUvYnJpZGdlL3RyYWNlRGF0YUNvbXByZXNzZWSzdHJhY2VEYXRhQ29tcHJlc3NlZNoAIy9tY2FmZWUvYnJpZGdlL3RyYWNlRXZlbnRDb21wcm
zc2VktHRyYWNlRXZlbnRDb21wcmVzc2Vk2gAhL21jYWZlZS9tYXIvYWdlbnQvc3luY0RhdGFSZXF1ZXN0r3N5bmNEYXRhUmVxdWVzdLsvbWNhZmVlL21hci9hZ2dTZWFyY2hSZXN1bH
vYWdnU2VhcmNoUmVzdWx02gAlL21jYWZlZS9tYXIvYWdnU2VhcmNoUmVzdWx0Q29tcHJlc3NlZLlhZ2dTZWFyY2hSZXN1bHRDb21wcmVzc2Vk2gAhL21jYWZlZS9tYXIvYWdnU2Vhcm
NoUmVzdWx0RXJyb3JztWFnZ1NlYXJjaFJlc3VsdEVycm9yc7ovbWNhZmVlL21hci9yZWFjdGlvblJlc3VsdK5yZWFjdGlvblJlc3VsdNoAIC9tY2FmZWUvbWFyL3JlYWN0aW9uUmVzdWx0RX
Jyb3JztHJlYWN0aW9uUmVzdWx0RXJyb3Jz
No local do EDR, os rastreamentos enviados são criptografados por meio da linha Cloud URL do arquivo
DXL_property.config :
CloudUrl=
Acz42gA1aHR0cHM6Ly9hcGkuc29jLm1jYWZlZS5jb20vY2xvdWRwcm94eS9kYXRhYnVzL3Byb2R1Y2U