How to use the Threat Intelligence Exchange Server MER tool

How to use the Threat Intelligence Exchange Server MER tool

Environment
McAfee Minimum Escalation Requirements (MER) tool for Threat Intelligence Exchange (TIE) Server
McAfee TIE Server 2.3.x, 2.1.x, 2.0.x, 1.3.x

Summary

Run the MER tool
To run the MER tool for TIE Server, switch to the Root user, type the following command, and press Enter:
 
mfe_tie_dxl_log_collector.sh
 
The generated output is written in a directory according to the MER tool version. A message appears after the script execution.

Information about files collected by MER
The MER tool collects the following McAfee product data from the TIE Server so that Technical Support can analyze and resolve issues.
 
TIE Server Information
And System data		Default location
Supported TIE Feature
TIE 2.3.x
TIE 2.1.0
2.0.0		TIE 1.3.x
Daemon log included in MER
/var/log/daemon.log
Yes
No
No
Kernel log included in MER
/var/log/kern.log
Yes
No
No
DXL IPE logs
/var/McAfee/dxlbroker/logs/ipe*.log
Yes
No
No
Generated output is written to:
(TIE 2.0.x and later)
/data/tieserver/mer/mfe_tie_dxl_.tgz

(TIE 1.3.x)
/tmp/mfe_tie_dxl_.tgz
Yes
Yes
Yes
Alternatively generation
-
Yes1
Yes1
Yes1
TIE Server installation logs
/tmp/*.log
Yes
Yes
Yes
TIE Server installation logs/errors
/tmp/*.err
Yes
Yes
Yes
Error CP information
/tmp/ERR*
Yes
Yes
Yes
First boot and network setup information
/tmp/LOG*
Yes
Yes
Yes
McAfee Agent logs
/var/McAfee/agent/logs/*
Yes
No
No
DXL Broker component log
/var/McAfee/dxlbroker/logs/*
Yes
Yes
Yes
DXL Broker Policy
/var/McAfee/dxlbroker/policy/*
Yes
Yes
Yes
TIE Server log
/var/McAfee/tieserver/logs/*.*
Yes
Yes
Yes
TIE Server policy
/var/McAfee/tieserver/policy/*
Yes
Yes
Yes
TIE Server replication auto recovery
/var/log/replication-auto-recovery.log
Yes
Yes
Yes
TIE/ PostgreSQL configuration Files and stats
opt/McAfee/tieserver/postgresql/*
Yes
Yes
Yes
System Cron Info
/var/log/cron*
Yes
Yes
No
Sysstat information (ksar.txt)
/var/log/sa/*
Yes
Yes
No
TIE/DXL API metrics (.csv)
/var/McAfee/tieserver/monitoring
Yes2
Yes2
No
TIE Server traffic logs (.csv)
/data/tieserver/traffic/*
Yes2
Yes2
No
FIPS Info
/var/log/kern.log
/var/log/secure*.log
/var/log/messages*.log
Yes
Yes
No
Java security
/opt/McAfee/tieserver/jre/lib/security/java.security
Yes
Yes
No
System Java Process dump
MLOS process
Yes
Yes
No
 
1
Alternatively generation:
  1. Log on to the ServicePortal at https://support.mcafee.com/:
    • If you are a registered user, type your User ID and Password, and click Log In.
    • If you are not a registered user, click Register and complete the required fields. Your password and logon instructions are emailed to you.
       
  2. Copy mfe_tie_dxl_log_collector.sh to the affected client computer.
  3. Change the file mode by typing the following command and pressing Enter:

    chmod +x mfe_tie_dxl_log_collector.sh
     
  4. Run the script by typing the following command and pressing Enter:

    sh mfe_tie_dxl_log_collector.sh

    The generated output is written in a directory according to the MER tool version. A confirmation message displays after the script execution.
     
  5. Submit the output file to Technical Support.
2
Traffic logs generated for TIE Server 2.1.0 and later is included in the MER output if the -t flag is included in the command execution; for example:
 
mfe_tie_dxl_log_collector.sh –t

Traffic logs generated by previous versions of TIE Server using the TIE Server log parsing script are not included in the MER output, regardless of the -t flag. This flag applies only to traffic logs generated by TIE Server after enabling the DXL traffic logs through TIE Server Policy.

NOTE: The file is generated with root permissions. To move the file from Linux to a different system, such as Windows, you must use a tool such as WinSCP. You might receive a 'permissions denied' error message.

To resolve permissions denied errors, run the following command on the Linux box before you run WinSCP:
 
chmod -R 777 <location of file>



For more information about using the MER tool with supported McAfee products, see KB59385.