15th May 2024

How to Get McAfee Mar(Active Response) and EPO Server Logs?

In some cases, McAfee technical support may request logs from us. They asked us for McAfee Mar(Active Response) and EPO server logs. Follow the steps below to get McAfee Mar(Active Response) and EPO server logs.

Getting logs from MAR server

To log from the MAR server, we run the “mfe_tie_dxl_log_collector.sh” command to run the MER tool with the root user on the MAR server.

chmod -R 777 <location of file>

Note: The MER tool is available on the MAR server by default.

It collects the following McAfee product data by the MER tool.

TIE Server Information and System Data Default Location Supported TIE Feature
TIE 3.x TIE 2.3.x TIE 2.2
Daemon log included in MER /var/log/daemon.log Yes Yes No
Kernel log included in MER /var/log/kern.log Yes Yes No
DXL IPE logs /var/McAfee/dxlbroker/logs/ipe*.log Yes Yes No
Generated output is written to: /data/tieserver/mer/mfe_tie_dxl_.tgz Yes Yes Yes
Or generation Yes Yes Yes
TIE Server installation logs /tmp/*.log Yes Yes Yes
TIE Server installation logs/errors /tmp/*.err Yes Yes Yes
Error CP information /tmp/ERR* Yes Yes Yes
First boot and network setup information /tmp/LOG* Yes Yes Yes
McAfee Agent logs /var/McAfee/agent/logs/* Yes Yes No
McAfee Agent automated upgrade log /var/log/MFEcma* Yes No No
DXL Broker component log /var/McAfee/dxlbroker/logs/* Yes Yes Yes
DXL Broker Policy /var/McAfee/dxlbroker/policy/* Yes Yes Yes
TIE Server log /var/McAfee/tieserver/logs/*.* Yes Yes Yes
TIE Server policy /var/McAfee/tieserver/policy/* Yes Yes Yes
TIE Server replication auto recovery /var/log/replication-auto-recovery.log Yes Yes Yes
TIE/ PostgreSQL configuration files and stats /data/tieserver_pg/*.conf Yes Yes Yes
MAR Server configuration Files /opt/McAfee/marserver/conf* Yes No No
System Cron Info /var/log/cron* Yes Yes Yes
Sysstat Information (ksar.txt) /var/log/sa/* Yes Yes Yes
Kernel message buffer /var/log/dmesg.old Yes No No
Environment Descriptor /etc/McAfee/environment.sh Yes No No
TIE/DXL API metrics (.csv) /var/McAfee/tieserver/monitoring Yes1 Yes1 Yes1
TIE Server traffic logs (.csv) /data/tieserver/traffic/* Yes1 Yes1 Yes1
FIPS Info /var/log/kern.log
Yes Yes Yes
Java security /opt/McAfee/tieserver/jre/lib/security/java.security Yes Yes Yes
System Java Process dump MLOS process Yes Yes Yes
LEARN MORE  Creation of Wordlist with Crunch in Infiltration Tests

Run the following file to get the file from WinSCP. Then you can get the file from WinSCP as below.



Getting Log from McAfee EPO Server

After downloading the MER tool from the link below, run it on the EPO server. Log collection will take some time. Then save the collected logs somewhere.


Download MER tool
Download MER tool


First, we run the MER tool that I downloaded as follows.

MER tool license
MER tool license


On the screen that comes up, we continue as follows.

Auto-Detect product
Auto-Detect product


It will take some time to collect the logs after pressing the start button.

system information
system information


Finally, after the log collection is finished, save it to the desktop as follows.







Leave a Reply

Your email address will not be published. Required fields are marked *