McAfee MER Analyzer Walkthrough Guide
COPYRIGHT Copyright © 2012 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies. TRADEMARK ATTRIBUTI ATTRIBUTIONS ONS AVERT, EPO, EPOLICY ORCHESTRATOR, ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE SECURITYALLIANCE EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.
2
McAfee MER Analyzer 2.1 Walkthrough Guide
Contents Introducing MER Analyzer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 MER Analyzer 2.1 features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 System requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Supported products and components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Installing MER Analyzer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Installing MER Analyzer on COE systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Installing MER Analyzer on engineering systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Uninstalling MER Analyzer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Getting Started with MER Analyzer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 MER Analyzer user interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Loading a file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Canceling product data parsing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Archive MER file data views. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 General view. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Configuring Global Error Search. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 File Explorer view. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 File Listing view. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 EWS archive file data views. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 General view. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Database view. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 File Explorer view. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Opening supported files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Opening unsupported files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Filtering data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Filtering column data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Filtering by comparing data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Find and Filter Text. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Searching online knowledge databases. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Updating MER Analyzer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Using MER Analyzer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Working with Network Security Platform encrypted files (.enc). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
McAfee MER Analyzer 2.1 Walkthrough Guide
3
Contents
Filtering files based on log error category. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Exporting decrypted .enc files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Adding new product categories to Network Security Platform online error code database. . . . . . . . 20 Editing errors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Deleting errors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Adding new Error codes to the Network Security Platform online database. . . . . . . . . . . . . . . . . . . . 21 Working with EWS files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Configuring Real-Time Logs settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Configuring Error Detection settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 EWS Dictionary Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Using Rule Builder. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Creating a new rule file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Creating a new component entry. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Importing existing component entry. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Editing a rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Uploading and sharing product rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Approving uploaded rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Using Rule Analyzer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
4
McAfee MER Analyzer 2.1 Walkthrough Guide
Introducing MER Analyzer MER Analyzer extracts and opens MER results archive files (MER tool files). MER Analyzer parses the data of interest to McAfee technicians into an easy to read GUI format, to assist support technicians in resolving product issues found on customer systems. MER Analyzer supports Network Security Platform archives (.enc), Email and Web Security archives (.zip), and other McAfee product archive files generated by the MER tool such as Host Intrusion Prevention Shield, Common McAfee Agent, and ePolicy Orchestrator. MER Analyzer has an intelligence framework that analyzes MER .tgz files. The framework consists of two components: • Rule Analyzer — Allows user to execute predefined Product rules on MER .tgz files. • Rule Builder — Enables users to create Product specific rule files that can be stored locally and Shared with other MER analyzer users. This chapter provides information on the following topics: MER Analyzer 2.1 features System requirements Supported products and components
MER Analyzer 2.1 features • MER Analyzer Rule Analyzer — Allows you to analyze MER .tgz files using a predefined set of product specific rules. • MER Analyzer Rule Builder — Allows you to create product specific rule files which can be shared with other MER Analyzer users. • Supports Bugzilla search — Allows you to search for keywords in Bugzilla on all the views. • Support for Sensor M8000 trace files — Allows Log Wizard users to decrypt Sensor M8000 trace files. • Supports Windows 7 COE — Allows you to install and use MER Analyzer on Microsoft Windows 7 COE systems. • Support for Sensor Aid logs — Allows Log Wizard users to view Sensor Aid logs. • Support for MOVE AV Scheduler 1.x — MER Analyzer now supports MOVE AV Scheduler 1.x MER .tgz files. • Support for McAfee Inventory agent 2.x — MER Analyzer now supports McAfee Inventory agent 2.x.
McAfee MER Analyzer 2.1 Walkthrough Guide
5
Introducing MER Analyzer System requirements
System requirements MER Analyzer COE system prerequisites: Item
Requirements
Operating system
•
Microsoft Windows XP Professional Service Pack 1
•
Microsoft Windows 7 64-bit
Microsoft Log Parser
2.2 (Will be installed automatically as part of the COE installation package during MER Analyzer installation)
Microsoft .NET Framework 2.0 Redistributable Package (x86) (Will be installed automatically as part of the COE installation package during MER Analyzer installation)
MER Analyzer Engineering system prerequisites: Item
Requirements
Operating system
•
Microsoft Windows XP Professional Service Pack 2
•
Microsoft Windows 2003
•
Microsoft Windows 2008
•
Microsoft Windows Vista Service Pack 1
•
Microsoft Windows 7
Microsoft Log Parser
2.2
Microsoft .NET Framework 2.0 Redistributable Package (x86)
Supported products and components Refer to the KB article KB70071 ( http://kb.mcafee.com/agent/index?page=content&id=KB70071) for the list of supported products and components.
6
McAfee MER Analyzer 2.1 Walkthrough Guide
Installing MER Analyzer MER Analyzer can be installed on both COE and engineering systems. This chapter provides information on the following topics: Installing MER Analyzer on COE systems Installing MER Analyzer on engineering systems Uninstalling MER Analyzer
Installing MER Analyzer on COE systems Use this task to install MER Analyzer on your COE systems. Task 1
Run the following line from your Command prompt: //nai-corp/coeapps/ecoe/MERAnalyzer/E-MerAnalyzer21.exe This starts the MERAnalyzer 2.1.0 installation package on COE systems. NOTE: EWS COE Users should install Postgres from the following location: //nai-corp/coeapps/ECOE/MERAnalyzer/pre-requisites/E-Postgres.exe Installing from this location overwrites any existing Postgres installation and resolve Postgres Service failure issues.
Installing MER Analyzer on engineering systems Use this task to install MER Analyzer on your engineering system. Task 1
Download the MERAnalyzerSetup.msi file to a temporary location from //ca-server/Products/McAfeeB2B/Supportability/MERAnalyzer/Version2_1/ NOTE: To install MER Analyzer on COE systems, run the following command from your command prompt: \\nai-corp\coeapps\ecoe\MERAnalyzer\E-MerAnalyzer21.exe
2
Double-click the MERAnalyzer.msi file. Welcome to the MERAnalyzer Setup Wizard appears.
3 Click Next. Select Installation Folder page appears. 4 Click Next to install MERAnalyzer in the default location or click Browse to change the installation path.
McAfee MER Analyzer 2.1 Walkthrough Guide
7
Installing MER Analyzer Uninstalling MER Analyzer
5
In the Confirm Installation page, click Next to start the installation.
6
When the installation completes, the Installation Complete page appears. Click Close.
Uninstalling MER Analyzer Use this task to uninstall MER Analyzer. Task 1 Click Start | Settings | Control Panel | Add or Remove Programs . NOTE: To uninstall MER Analyzer from COE systems, raise a IT HelpDesk ticket. 2 Select MERAnalyzer from the programs list, then click Remove. Add or Remove Programs dialog box appears. 3 Click Yes to confirm the uninstallation.
8
McAfee MER Analyzer 2.1 Walkthrough Guide
Getting Started with MER Analyzer This chapter provides information on the following topics: MER Analyzer user interface Loading a file Canceling product data parsing Archive MER file data views EWS archive file data views Opening supported files Opening unsupported files Filtering data Find and Filter Text Searching online knowledge databases Updating MER Analyzer
MER Analyzer user interface To launch the MER Analyzer user interface, click Start | Programs | McAfee | MERAnalyzer | MERAnalyzer.
McAfee MER Analyzer 2.1 Walkthrough Guide
9
Getting Started with MER Analyzer Loading a file
From the left pane of the user interface, you can navigate to different data views of the archive files. The right pane of the user interface displays the parsed data from the archive files.
Loading a file To open an archive file using MER Analyzer, in the user interface click File | Open. Browse for the required file, then click Open.
Canceling product data parsing To load MER files quickly, right-click the product data, then click Cancel Loading. This stops loading unnecessary data files.
Archive MER file data views MER Analyzer supports three types of data views for archive MER files: • General view — Provides an overview of the MER file. • File Explorer view — Displays the list of files in the MER (.tgz) file in explorer view. Double-click the file to view details in the file. • File Listing view — Lists the files in the MER (.tgz) file.
10
McAfee MER Analyzer 2.1 Walkthrough Guide
Getting Started with MER Analyzer Archive MER file data views
General view General view of the archive MER file provides an overview of system details and McAfee product details installed on the system on which the MER tool was run. NOTE: Use Add to Bookmarks to bookmark log files. Wild characters can be used to bookmark log files. MER Analyzer displays the last MVT Execution ID in the MER Result section. Click on this link to open eReports website, where details of last MVT Execution ID will be displayed.
General details Item
Description
System Information
Displays the system details including: •
OS Information — Displays the operating system name, version, and language.
• IE information — Displays the Microsoft Internet Explorer version, build, and language. •
Hardware Information — Displays the hardware specification such as processor, memory, and IP address of the system.
Under System Information, double-click the MSinfo.nfo file to display detailed information of the system. Processes
Displays all the running processes logged in the MSinfo.nfo.
McAfee MER Analyzer 2.1 Walkthrough Guide
11
Getting Started with MER Analyzer Archive MER file data views
Item
Description
Services
Displays all the McAfee, Microsoft, and other services running on the system.
Registry
Displays the registry details of the system.
Event Logs
Displays application, security, and system log details such as type, source, user, and description generated on the system. NOTE: Use Add to Bookmarks to bookmark log files. Wild characters can be used to bookmark log files.
Global Error Search
Displays the errors extracted from the archive file in the result. Click the error to display errors within the context of the log. You can customize the Global Error Search by configuring the search settings.
DrWatson Logs
Displays a list of Dr.Watson log files. Double-click the log file to view details. Dr. Watson logs collected on non-English system can be viewed in the following localized languages:
Drivers
•
German
•
French
•
Italian
•
Spanish
•
Japanese
•
Korean
•
Chinese – Simplified and Traditional
•
Dutch
•
Swedish
•
Portuguese - Brazilian
Displays all system and digitally signed software drivers. System and Signed drivers are categorized as •
McAfee System/Signed drivers
•
System/Signed drivers (All non-McAfee drivers)
File List
Lists all the files in the MER file.
MER Activity Log
Lists all the activities logged during creation of the MER file.
MER Statistics
Lists the statistics associated with the creation of the MER.
MER Results
Displays the general customer case information, MER settings, and the products selected during the creation of MER file.
Product details To search for specific defined terms in the product logs, click Products on the MER Explorer and define the error and warning search terms then click Search. NOTE: Use Add to Bookmarks to bookmark log files. Wild characters can be used to bookmark log files.
12
McAfee MER Analyzer 2.1 Walkthrough Guide
Getting Started with MER Analyzer Archive MER file data views
Item
Description
Processes
Displays all processes associated with the product. If the process was running when the results were collected, complete process information will be displayed. If the process was stopped, there will be limited information.
Registry
Displays key product registry information.
Logs
Displays all logs associated with the product. Double-click the log file to view details.
DrWatson Crashes
Displays all Dr Watson crashes associated with the product.
Errors
Displays all errors extracted from the product log files. Click the error to display errors within the context of the log.
Warnings
Displays all warnings extracted from the product log files. Click the warning to display errors within the context of the log. Double-click to open the log file which contains the warning.
Configuring Global Error Search Use this task to configure Global Error Search options for archive MER files. Task 1
Open a .tgz file, then click Global Error Search on the left pane. The Global Error Search page appears on the right pane.
2 Click Search Options tab. On the Search Options dialog box configure the search options as required. Tab
Description
File Types
Specify the file types that will be searched for the terms specified in Error and Warning Search tabs. Use Perform Global/Product search when loading a file to search after a MER files is extracted and being parsed. Use Perform second column E check option to search McAfee Agent log files.
Error Search Term
Specify the terms that will be identified as errors when searching log files.
Warning Search Term
Specify the terms that will be identified as warning when searching log files.
3 Click Search after configuring all the tabs. The search result is displayed in Results tab.
File Explorer view File Explorer view lists all the files in the archive MER file in explorer view. This view supports file filtering based on their type.
McAfee MER Analyzer 2.1 Walkthrough Guide
13
Getting Started with MER Analyzer EWS archive file data views
File Listing view File Listing view lists all the files in the archive MER file. This view supports file filtering based on their name, type, size, modified date, modified time, and relative path.
EWS archive file data views MER Analyzer supports three types of data views for EWS files: • General view — Provides an overview of the EWS system information and other related details. • Database view — Queries EWS PostgresSQL database. • File Explorer view — Displays the list of files in the EWS archive file (.zip) in explorer view. Double-click the file to view details.
General view
14
Item
Description
System Reports
Displays the system details such as system information, network details, process details, certificate details, and patches/hotfixes installed.
Real-Time Logs
Displays the real-time log properties extracted from the archive file in the result.
Error Detection
Displays the errors extracted from the specified log file in the result. These logs can be added to Reports.
McAfee MER Analyzer 2.1 Walkthrough Guide
Getting Started with MER Analyzer EWS archive file data views
Item
Description
Global Search Error
Displays the errors extracted from the archive file in the result. Click the error to display errors within the context of the log. You can customize the Global Error Search by configuring the search settings.
Escalation Checklist
Displays information required during the escalation process. Each checklist contains generic and product-specific information.
Database view Item
Description
System
Queries EWS database for system parameters, including:
Web Reports
Email
Protocol
•
User and User Interface
•
Hardware and Resources
•
Updates
•
Network
Queries EWS database for web report parameters, including: •
HTTP/ICAP/FTP
•
Web Detection
Queries EWS database for email parameters, including: •
SMTP
•
Transport.log
•
Email Detection
Queries EWS database for protocol parameters, including: •
Conversation
•
Protocol Events
DLP
Queries EWS database for DLP Detection parameters.
Web Detection
Queries EWS database for web detection parameters, including:
Email Detection
Mail
•
Viruses/PuPs-Web
•
Filtered URL-Web
•
Content-Web
Queries EWS database for email detection parameters, including: •
Viruses/PuPs-Web
•
Content
•
Spam
•
Sender Authentication
Queries EWS database for mail parameters, including: •
Record
•
Priority Domain
•
Domain Status
•
Domain
McAfee MER Analyzer 2.1 Walkthrough Guide
15
Getting Started with MER Analyzer Opening supported files
Item
Description •
Delivery Strategy
File Explorer view File Explorer view lists all the files in the archive MER file in explorer view. This view supports file filtering based on their type.
Opening supported files MER Analyzer supports the following default file views: • Dr.Watson log – Displays in Dr.Watson view • *.Log – Displays in list view with filters • *.Csv – Displays in list view with filters • *.txt – Displays in text view with filters • *.xml - Displays in xml view Double-click the file to view details.
Opening unsupported files To open an unsupported file, select the supported program in the Open With dialog box when prompted.
Filtering data Use the filter options to filter unwanted data in the log files. You can select the filter type from the
drop-down menu.
Filtering column data You can filter the log file details displayed in column in the right pane of the user interface. The filtering options include: • Filter Data As – Use this option to select the data type in the column. The data types supported include string, number, and date. • Clear Filter – Clears the filter text. • Ignore Case – Ignores the case of the data while filtering. To filter unwanted log details, click , then select the filter type and type the required data. The log details which match the filter data appears on the right pane of the user interface. Example: If you type McAfee, only the data which contain the term McAfee in the selected column will be displayed.
16
McAfee MER Analyzer 2.1 Walkthrough Guide
Getting Started with MER Analyzer Find and Filter Text
Filtering by comparing data You can use the comparison types to filter data in the log file. The supported comparison types include, less than (<), less than or equal to (<=), greater than (>), greater than or equal to (>=), or not (!). To filter log details using comparison types, click , then select the filter type and type the required data with the comparison type. The log details which match the filter data appears on the right pane of the user interface. Example: To filter dates greater than or equal to 10/10/2006 Set Filter Data as to Date, then type >=20/10/2006.
Find and Filter Text Find and Filter Text option allows you to search filter data in the MER Analyzer supported files. It also allows you to create and delete custom filters.
To find and filter data in the log files, 1 Click Find Filter Text on the right pane of the user interface. The Find Filter Text dialog box appears. 2
Type the data, then click Search or Filter as required.
To save filter, configure the filter options as required then click Save Filter. To delete filter, click Delete Filter.
Searching online knowledge databases MER Analyzer uses these online knowledge databases to search terms in the files. • http://kb.mcafee.com • http://www.processlibrary.com • http://eventid.net
McAfee MER Analyzer 2.1 Walkthrough Guide
17
Getting Started with MER Analyzer Updating MER Analyzer
• http://www.goggle.com • https://bugzilla.corp.nai.org To search terms in online database, right-click a value, then select Select Cell. Right-click the selected value, then select the required database.
Updating MER Analyzer MER Analyzer updates automatically on start up. It also checks for updates regularly (by default hourly) when MER Analyzer is running. To update MER Analyzer manually, click Help | Check for updates.
18
McAfee MER Analyzer 2.1 Walkthrough Guide
Using MER Analyzer This chapter provides information on the following topics: Working with Network Security Platform encrypted files (.enc) Working with EWS files Using Rule Builder
Working with Network Security Platform encrypted files (.enc) The MER Analyzer Log Wizard parses the following Network Security Platform log files: • Ems.log • EMSout.log • Sensor.log • Sensor.dbg • Encrypted .enc files • aid_*.log NOTE: Sensor.log, aid_*.log, and Sensor.dbg files are included in the .enc files.
McAfee MER Analyzer 2.1 Walkthrough Guide
19
Using MER Analyzer Working with Network Security Platform encrypted files (.enc)
Filtering files based on log error category Errors are categorized as Error, Audit, or Info. You can filter the log file details displayed in columns based on log error category, including: • All • Error • Info • Audit To filter log details, select the log error category from the Select Category to Display drop-down menu.
Exporting decrypted .enc files Log wizard has the ability to export decrypted trace files. To export the decrypted .enc file, right-click Log Wizard on the MER Explorer then select Export All. Specify the required location, then click OK .
Adding new product categories to Network Security Platform online error code database Use this task to add new product categories to Network Security Platform online error code database.
20
McAfee MER Analyzer 2.1 Walkthrough Guide
Using MER Analyzer Working with EWS files
Task 1
Log in to the WebMER at: http://mer.mcafee.com/techsupport/.
2 Click Log Wizard | LogWizard New Category. 3
The ProductName is Network Security Platform by default. Type the new category name, then click Add.
Editing errors You can also edit the details of specific errors from LogWizard in WebMER. Task 1
Log in to the WebMER at: http://mer.mcafee.com/techsupport/.
2 Click Log Wizard, then click the required code to edit. The LogWizard Item page appears with the code details. 3
Edit the code as required, then click Update.
Deleting errors Use this task to delete errors from LogWizard in WebMer. Task 1
Log in to the WebMER at: http://mer.mcafee.com/techsupport/.
2 Click Log Wizard, then click Delete on the required code row and confirm deletion.
Adding new Error codes to the Network Security Platform online database Use this task to add new Error codes to the Network Security Platform online database. Task 1
Log in to the WebMER at:http://mer.mcafee.com/techsupport/.
2 Click Log Wizard | LogWizard New Item. 3
Configure the error code details as required, then click Add.
Working with EWS files MER Analyzer supports EWS archive files (.zip). It extracts the errors and real-time log properties from the archive file. It also support a dictionary that is used as database of pre-configured errors while detecting errors in the archive file.
Configuring Real-Time Logs settings Use this task to configure real-time properties chart settings.
McAfee MER Analyzer 2.1 Walkthrough Guide
21
Using MER Analyzer Using Rule Builder
Task 1
Start MER Analyzer, then open the EWS archive file (.zip).
2
On the General tab, click Real-Time Logs. The Real-Time Properties Chart window appears in the right pane.
3 Click Properties. The Property Selection dialog box appears. 4
Select the required real-time property(s), then click Add Selected Item(s) | Done.
5
Select the Date Range for which you require to generate real-time properties chart, then click Start to view the real-time properties chart.
Configuring Error Detection settings Use this task to configure error detection settings. Task 1
Start MER Analyzer, then open the EWS archive file (.zip).
2
On the General tab, click Error Detection. The Error Detection Settings window appears in the right pane.
3
Select the date range for which you require to generate error detection result.
4 Click Edit. The Select Terms dialog box appears. 5
Add the term(s), then click Done.
6 Select the log file category and click
.
7 Click Start to view the error detection result.
EWS Dictionary Manager MER Analyzer supports EWS Dictionary Manager that is used as database of pre-configured errors while detecting errors in the archive file. To add error logs to the dictionary, 1 Click Edit | Preferences | EWS Dictionary. The Dictionary Manager appears. 2 Click Add Item, then configure the necessary details. 3 Click OK . To delete an error log from the dictionary, select the error message then click Delete Item and confirm deletion.
Using Rule Builder To launch Rule Builder, click Tools | Rule Building and Catalog.... You can create a new rule, open an existing rule, and administrators can approve uploaded rule files. McAfee Customer Support users should add their WebMER credentials in Edit | Preferences | WebMER login details to : • Mark rules for an internal McAfee audience only • Upload rules for sharing
22
McAfee MER Analyzer 2.1 Walkthrough Guide
Using MER Analyzer Using Rule Builder
• Download rules intended for an internal McAfee audience only • Approve rules submitted for sharing (Administrators only)
Creating a new rule file Use this task to create and configure new rule file. Task 1 Click Tools | Rule building and Catalog. The Rule Builder and Catalog wizard appears. 2 Select Create new rule file, then click Next.
3
Select a Product Name and a Product Version. NOTE: The Rule Builder doesn't list the McAfee products and versions for which rules have been created.
4
Type a valid KB Link , add any Suggestions, then select a Security Level for the Rule. NOTE: Rules marked Internal can only be viewed by McAfee users and External rules can be viewed by all users.
5 Click Next. The Rule view appears. 6
On the Components tab, right click on a component then add or import component entries. NOTE: Refer to Creating a new component entry and Importing existing component entry for more details.
McAfee MER Analyzer 2.1 Walkthrough Guide
23
Using MER Analyzer Using Rule Builder
7
On the Rule tab the rules are grouped in categories. Right click on the product name, then select Create Category. The New Category window appears.
8
Type a category name then click Add Category. The category appears in Rule tab.
9
To add rules to the category, right click on the category then select Create Rule. The Rule Builder window appears.
10 Type a name to rule and other rule information, then click Add Rule. The Rule Builder — Add Criteria dialog box appears. 11 To add criteria to the rule, select a criteria from the list then click the logical operation from the Expression Builder. The list logical criteria for the rule appears in the Expression Builder. 12 Click Add Criteria to add the new rule. The new rule now appears on the Rule tab of Rule view.
Creating a new component entry MERAnalyzer supports six types of components: Registry, File, Event, Process, Service, and Driver. Use this task create to a new component entry. Task 1
In the Components tab of the Rule view, right click on a component type then select Create Entry. The new entry window appears.
2
Type the Operation details and other required component details, then click Create.
Importing existing component entry MERAnalyzer supports six types of components: Registry, File, Event, Process, Service, and Driver. You can import these component entries from the local machine, an existing rule file, or a .TGZ file. Use this task to import an existing component entry. Task 1
To import component entries from the local machine, right click on a component type then select Machine. • When importing component entries for a file from the local machine, on the Select the File Options window browse for the file then add the text you want search the file for. NOTE: You can also select text and right click to add it as search criteria.
2
• When importing component entries for an event from the local machine, select the Windows Event to add as criteria then select the description text to search. To import component entries from an existing rule file, right click on a component type then select Rule File. The Rule Builder appears. a Select the Product name and Product version then click Next. The list of component entries appears. b Select the components from the list, then click Add. The component entries appear on the Components tab of Rule view.
3
24
To import component entries from a .TGZ file, right click on a component type then select MER file.
McAfee MER Analyzer 2.1 Walkthrough Guide
Using MER Analyzer Using Rule Builder
a Browse for a .TGZ file on the local machine. b Select the component entries then click Add.
Editing a rule Once a rule has been created it is added to the Rule view. The rule can be edited using the Basic tab. Use this task to edit an existing rule. Task 1 Click Tools | Rule building and Catalog. The Rule Builder and Catalog wizard appears. 2 Select Open rule file, then click Next. 3
Select a Product Name and a Product Version, then click Next. The rule for the select product and version appears on the Rule view. NOTE: The Product name and Product Version fields contains all versions for all McAfee for products which rule have not previously been created.
4
On the Basic tab, edit the required details then click Save All. NOTE: A more detailed explaination is availabe in the Detail tab.
Uploading and sharing product rules Uploader privileges are required to upload a rule. Contact DL Supportability MER if you require Uploader rights. Use this task to upload and share product rules Task 1
Open the rule file you want to upload.
2 Click Upload. The User Credentials window appears. 3
Type the email address and WebMER password, then click Login. Once the user is authenticated with the server the Rule Upload window appears.
4
Select the rules to upload, then click Upload Rules. Before the rules are available to other MERAnalyzer users, the uploaded rules should be approved by the administrator.
Approving uploaded rules Administrator privileges are required to approve an uploaded rule. Contact DL Supportability MER if you require Rule Administrator rights. Rules uploaded by administrators are automatically approved and shared with other users. Use this task to approve or reject uploaded rules Task 1 Click Tools | Rule building and Catalog. The Rule Builder and Catalog wizard appears. 2 Select Approve Rules, then click Next. The User Credentials window appears. 3
Type in email address and WebMER administrator password, then click Login. The Requests submitted for review window appears.
McAfee MER Analyzer 2.1 Walkthrough Guide
25
Using MER Analyzer Using Rule Analyzer
4
In the Approve/Reject column, select Approved or Rejected then click Submit. The approved rules are now available to other MERAnalyzer users.
Using Rule Analyzer To put the rules into operation, the user needs to run the Rule Analyzer engine. To open the Rule Analyzer, click on the Rule Analysis in the MER Analyzer tree. The Analyzer Task bar provides following options: • Analyze — Use this to run the Rule engine • Analyze Options — Use this to refine the rules • View report — Use this to select error only or the full report • Save — Use this to save the report in a .htm format.
26
McAfee MER Analyzer 2.1 Walkthrough Guide
Index C
M
cancelling parsing 10
MER Analyzer loading file 10
L loading file 10
McAfee MER Analyzer 2.1 Walkthrough Guide
27
Index
28
McAfee MER Analyzer 2.1 Walkthrough Guide