mer analyzer 2 1 walkthrough guide

8/16/2019 MER Analyzer 2 1 Walkthrough Guide

1/28

McAfee MER AnalyzerWalkthrough Guide


2/28

COPYRIGHT

Copyright© 2012 McAfee, Inc. All Rights Reserved.

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any formor by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARK ATTRIBUTIONS

AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE

EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN,WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red inconnection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole propertyof their respective owners.

LICENSE INFORMATION

License Agreement

NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED,WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICHTYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTSTHAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET,

A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOUDO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURNTHE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.

McAfee MER Analyzer 2.1 Walkthrough Guide2


3/28

ContentsIntroducing MER Analyzer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

MER Analyzer 2.1 features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

System requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Supported products and components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Installing MER Analyzer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Installing MER Analyzer on COE systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Installing MER Analyzer on engineering systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Uninstalling MER Analyzer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Getting Started with MER Analyzer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

MER Analyzer user interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Loading a file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Canceling product data parsing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Archive MER file data views. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

General view. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Configuring Global Error Search. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

File Explorer view. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

File Listing view. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

EWS archive file data views. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

General view. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Database view. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

File Explorer view. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Opening supported files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Opening unsupported files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Filtering data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Filtering column data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Filtering by comparing data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Find and Filter Text. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Searching online knowledge databases. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Updating MER Analyzer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Using MER Analyzer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Working with Network Security Platform encrypted files (.enc). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

3McAfee MER Analyzer 2.1 Walkthrough Guide


4/28

Filtering files based on log error category. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Exporting decrypted .enc files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Adding new product categories to Network Security Platform online error code database. . . . . . . . 20

Editing errors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Deleting errors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Adding new Error codes to the Network Security Platform online database. . . . . . . . . . . . . . . . . . . . 21

Working with EWS files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Configuring Real-Time Logs settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Configuring Error Detection settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

EWS Dictionary Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Using Rule Builder. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Creating a new rule file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Creating a new component entry. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Importing existing component entry. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Editing a rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Uploading and sharing product rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Approving uploaded rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Using Rule Analyzer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26


Contents


5/28

Introducing MER Analyzer

MER Analyzer extracts and opens MER results archive files (MER tool files). MER Analyzer parses

the data of interest to McAfee technicians into an easy to read GUI format, to assist support

technicians in resolving product issues found on customer systems.

MER Analyzer supports Network Security Platform archives (.enc), Email and Web Security

archives (.zip), and other McAfee product archive files generated by the MER tool such as Host

Intrusion Prevention Shield, Common McAfee Agent, and ePolicy Orchestrator.

MER Analyzer has an intelligence framework that analyzes MER .tgz files. The framework consists

of two components:

• Rule Analyzer — Allows user to execute predefined Product rules on MER .tgz files.

• Rule Builder — Enables users to create Product specific rule files that can be stored locally

and Shared with other MER analyzer users.

This chapter provides information on the following topics:

MER Analyzer 2.1 features

System requirements

Supported products and components

MER Analyzer 2.1 features• MER Analyzer Rule Analyzer — Allows you to analyze MER .tgz files using a predefinedset of product specific rules.

• MER Analyzer Rule Builder — Allows you to create product specific rule files which can

be shared with other MER Analyzer users.

• Supports Bugzilla search — Allows you to search for keywords in Bugzilla on all the views.

• Support for Sensor M8000 trace files — Allows Log Wizard users to decrypt Sensor

M8000 trace files.

• Supports Windows 7 COE — Allows you to install and use MER Analyzer on Microsoft

Windows 7 COE systems.

• Support for Sensor Aid logs — Allows Log Wizard users to view Sensor Aid logs.

• Support for MOVE AV Scheduler 1.x — MER Analyzer now supports MOVE AV Scheduler

1.x MER .tgz files.

• Support for McAfee Inventory agent 2.x — MER Analyzer now supports McAfee Inventory

agent 2.x.



6/28

System requirementsMER Analyzer COE system prerequisites:

RequirementsItem

Operating system • Microsoft Windows XP Professional Service Pack 1

• Microsoft Windows 7 64-bit

2.2 (Will be installed automatically as part of the COE installation package during MER

Analyzer installation)

Microsoft Log Parser

2.0 Redistributable Package (x86)

(Will be installed automatically as part of the COE installation package during MER

Analyzer installation)

Microsoft .NET Framework

MER Analyzer Engineering system prerequisites:

RequirementsItem

Operating system • Microsoft Windows XP Professional Service Pack 2

• Microsoft Windows 2003


• Microsoft Windows Vista Service Pack 1


2.2Microsoft Log Parser

2.0 Redistributable Package (x86)Microsoft .NET Framework

Supported products and componentsRefer to the KB article KB70071 ( http://kb.mcafee.com/agent/index?page=content&id=KB70071)

for the list of supported products and components.

Introducing MER AnalyzerSystem requirements


http://kb.mcafee.com/agent/index?page=content&id=KB70071http://kb.mcafee.com/agent/index?page=content&id=KB70071


7/28

Installing MER Analyzer

MER Analyzer can be installed on both COE and engineering systems.


Installing MER Analyzer on COE systems

Installing MER Analyzer on engineering systems

Uninstalling MER Analyzer

Installing MER Analyzer on COE systemsUse this task to install MER Analyzer on your COE systems.

Task

1 Run the following line from your Command prompt:

//nai-corp/coeapps/ecoe/MERAnalyzer/E-MerAnalyzer21.exe

This starts the MERAnalyzer 2.1.0 installation package on COE systems.

NOTE: EWS COE Users should install Postgres from the following location:

//nai-corp/coeapps/ECOE/MERAnalyzer/pre-requisites/E-Postgres.exe

Installing from this location overwrites any existing Postgres installation and resolve Postgres

Service failure issues.

Installing MER Analyzer on engineering systemsUse this task to install MER Analyzer on your engineering system.

Task

1 Download the MERAnalyzerSetup.msi file to a temporary location from

//ca-server/Products/McAfeeB2B/Supportability/MERAnalyzer/Version2_1/

NOTE: To install MER Analyzer on COE systems, run the following command from your

command prompt:

\\nai-corp\coeapps\ecoe\MERAnalyzer\E-MerAnalyzer21.exe

2 Double-click the MERAnalyzer.msi file. Welcome to the MERAnalyzer Setup Wizard

appears.

3 Click Next. Select Installation Folder page appears.

4 Click Next to install MERAnalyzer in the default location or click Browse to change the

installation path.


http://localhost/var/www/apps/conversion/tmp/scratch_5//nai-corp/coeapps/ecoe/MERAnalyzer/E-MerAnalyzer21.exehttp://localhost/var/www/apps/conversion/tmp/scratch_5//nai-corp/coeapps/ECOE/MERAnalyzer/pre-requisites/E-Postgres.exehttp://localhost/var/www/apps/conversion/tmp/scratch_5//ca-server/Products/McAfeeB2B/Supportability/MERAnalyzer/Version2_1/http://localhost/var/www/apps/conversion/tmp/scratch_5//ca-server/Products/McAfeeB2B/Supportability/MERAnalyzer/Version2_1/http://localhost/var/www/apps/conversion/tmp/scratch_5//nai-corp/coeapps/ECOE/MERAnalyzer/pre-requisites/E-Postgres.exehttp://localhost/var/www/apps/conversion/tmp/scratch_5//nai-corp/coeapps/ecoe/MERAnalyzer/E-MerAnalyzer21.exe


8/28

5 In the Confirm Installation page, click Next to start the installation.

6 When the installation completes, the Installation Complete page appears. Click Close.

Uninstalling MER AnalyzerUse this task to uninstall MER Analyzer.

Task

1 Click Start | Settings | Control Panel | Add or Remove Programs .

NOTE: To uninstall MER Analyzer from COE systems, raise a IT HelpDesk ticket.

2 Select MERAnalyzer from the programs list, then click Remove. Add or Remove Programs

dialog box appears.

3 Click Yes to confirm the uninstallation.

Installing MER AnalyzerUninstalling MER Analyzer



9/28

Getting Started with MER Analyzer


MER Analyzer user interface

Loading a file

Canceling product data parsing

Archive MER file data views

EWS archive file data views

Opening supported files

Opening unsupported files

Filtering data

Find and Filter Text

Searching online knowledge databases

Updating MER Analyzer

MER Analyzer user interfaceTo launch the MER Analyzer user interface, click Start | Programs | McAfee | MERAnalyzer

| MERAnalyzer.



10/28

From the left pane of the user interface, you can navigate to different data views of the archive

files. The right pane of the user interface displays the parsed data from the archive files.

Loading a fileTo open an archive file using MER Analyzer, in the user interface click File | Open. Browse for

the required file, then click Open.

Canceling product data parsingTo load MER files quickly, right-click the product data, then click Cancel Loading. This stops

loading unnecessary data files.

Archive MER file data viewsMER Analyzer supports three types of data views for archive MER files:

• General view — Provides an overview of the MER file.

• File Explorer view — Displays the list of files in the MER (.tgz) file in explorer view.

Double-click the file to view details in the file.

• File Listing view — Lists the files in the MER (.tgz) file.

Getting Started with MER AnalyzerLoading a file



11/28

General viewGeneral view of the archive MER file provides an overview of system details and McAfee product

details installed on the system on which the MER tool was run.

NOTE: Use Add to Bookmarks to bookmark log files. Wild characters can be used to bookmark

log files.

MER Analyzer displays the last MVT Execution ID in the MER Result section. Click on this link

to open eReports website, where details of last MVT Execution ID will be displayed.

General details

DescriptionItem

Displays the system details including:System Information

• OS Information — Displays the operating system name, version, andlanguage.

• IE information — Displays the Microsoft Internet Explorer version, build,

and language.

• Hardware Information — Displays the hardware specification such as

processor, memory, and IP address of the system.

Under System Information, double-click the MSinfo.nfo file to display

detailed information of the system.

Displays all the running processes logged in the MSinfo.nfo.Processes

Getting Started with MER Analyzer Archive MER file data views



12/28

DescriptionItem

Displays all the McAfee, Microsoft, and other services running on the system.Services

Displays the registry details of the system.Registry

Displays application, security, and system log details such as type, source,

user, and description generated on the system.

NOTE: Use Add to Bookmarks to bookmark log files. Wild characters can

be used to bookmark log files.

Event Logs

Displays the errors extracted from the archive file in the result. Click the error

to display errors within the context of the log.

You can customize the Global Error Search by configuring the search

settings.

Global Error Search

Displays a list of Dr.Watson log files. Double-click the log file to view details.

Dr. Watson logs collected on non-English system can be viewed in the

following localized languages:

DrWatson Logs

• German

• French

• Italian

• Spanish

• Japanese

• Korean

• Chinese – Simplified and Traditional

• Dutch

• Swedish

• Portuguese - Brazilian

Displays all system and digitally signed software drivers.

System and Signed drivers are categorized as

Drivers

• McAfee System/Signed drivers

• System/Signed drivers (All non-McAfee drivers)

Lists all the files in the MER file.File List

Lists all the activities logged during creation of the MER file.MER Activity Log

Lists the statistics associated with the creation of the MER.MER Statistics

Displays the general customer case information, MER settings, and the products

selected during the creation of MER file.

MER Results

Product details

To search for specific defined terms in the product logs, click Products on the MER Explorer

and define the error and warning search terms then click Search.

NOTE: Use Add to Bookmarks to bookmark log files. Wild characters can be used to bookmark

log files.




13/28

DescriptionItem

Displays all processes associated with the product.

If the process was running when the results were collected, complete process

information will be displayed. If the process was stopped, there will be limited

information.

Processes

Displays key product registry information.Registry

Displays all logs associated with the product. Double-click the log file to view

details.

Logs

Displays all Dr Watson crashes associated with the product.DrWatson Crashes

Displays all errors extracted from the product log files. Click the error to display

errors within the context of the log.

Errors

Displays all warnings extracted from the product log files. Click the warning


Double-click to open the log file which contains the warning.

Warnings

Configuring Global Error SearchUse this task to configure Global Error Search options for archive MER files.

Task

1 Open a .tgz file, then click Global Error Search on the left pane. The Global Error

Search page appears on the right pane.

2 Click Search Options tab. On the Search Options dialog box configure the search options

as required.

DescriptionTab

Specify the file types that will be searched for the terms specified inError and Warning Search tabs.

Use Perform Global/Product search when loading a file to

search after a MER files is extracted and being parsed.

File Types

Use Perform second column E check option to search McAfee

Agent log files.

Specify the terms that will be identified as errors when searching log

files.

Error Search Term

Specify the terms that will be identified as warning when searching log

files.

Warning Search Term

3 Click Search after configuring all the tabs. The search result is displayed in Results tab.

File Explorer viewFile Explorer view lists all the files in the archive MER file in explorer view. This view supports

file filtering based on their type.




14/28

File Listing viewFile Listing view lists all the files in the archive MER file. This view supports file filtering based

on their name, type, size, modified date, modified time, and relative path.

EWS archive file data viewsMER Analyzer supports three types of data views for EWS files:

• General view — Provides an overview of the EWS system information and other related

details.

• Database view — Queries EWS PostgresSQL database.

• File Explorer view — Displays the list of files in the EWS archive file (.zip) in explorer view.

Double-click the file to view details.

General view

DescriptionItem

Displays the system details such as system information, network details,

process details, certificate details, and patches/hotfixes installed.

System Reports

Displays the real-time log properties extracted from the archive file in the

result.

Real-Time Logs

Displays the errors extracted from the specified log file in the result. These

logs can be added to Reports.

Error Detection

Getting Started with MER AnalyzerEWS archive file data views



15/28

DescriptionItem

Displays the errors extracted from the archive file in the result. Click the error


You can customize the Global Error Search by configuring the search

settings.

Global Search Error

Displays information required during the escalation process. Each checklistcontains generic and product-specific information.

Escalation Checklist

Database view

DescriptionItem

Queries EWS database for system parameters, including:System

• User and User Interface

• Hardware and Resources

• Updates

• Network

Queries EWS database for web report parameters, including:Web Reports

• HTTP/ICAP/FTP

• Web Detection

Queries EWS database for email parameters, including:Email

• SMTP

• Transport.log

• Email Detection

Queries EWS database for protocol parameters, including:Protocol

• Conversation

• Protocol Events

Queries EWS database for DLP Detection parameters.DLP

Queries EWS database for web detection parameters, including:Web Detection

• Viruses/PuPs-Web

• Filtered URL-Web

• Content-Web

Queries EWS database for email detection parameters, including:Email Detection

• Viruses/PuPs-Web

• Content

• Spam

• Sender Authentication

Queries EWS database for mail parameters, including:Mail

• Record

• Priority Domain

• Domain Status

• Domain

Getting Started with MER AnalyzerEWS archive file data views



16/28

DescriptionItem

• Delivery Strategy

File Explorer viewFile Explorer view lists all the files in the archive MER file in explorer view. This view supportsfile filtering based on their type.

Opening supported filesMER Analyzer supports the following default file views:

• Dr.Watson log – Displays in Dr.Watson view

• *.Log – Displays in list view with filters

• *.Csv – Displays in list view with filters

• *.txt – Displays in text view with filters• *.xml - Displays in xml view

Double-click the file to view details.

Opening unsupported filesTo open an unsupported file, select the supported program in the Open With dialog box when

prompted.

Filtering dataUse the filter options to filter unwanted data in the log files. You can select the filter type from

the drop-down menu.

Filtering column data You can filter the log file details displayed in column in the right pane of the user interface.

The filtering options include:

• Filter Data As – Use this option to select the data type in the column. The data types

supported include string, number, and date.• Clear Filter – Clears the filter text.

• Ignore Case – Ignores the case of the data while filtering.

To filter unwanted log details, click , then select the filter type and type the required data.

The log details which match the filter data appears on the right pane of the user interface.

Example: If you type McAfee, only the data which contain the term McAfee in the selected

column will be displayed.

Getting Started with MER AnalyzerOpening supported files



17/28

Filtering by comparing data You can use the comparison types to filter data in the log file.

The supported comparison types include, less than (=), or not (!).

To filter log details using comparison types, click , then select the filter type and type therequired data with the comparison type. The log details which match the filter data appears on

the right pane of the user interface.

Example: To filter dates greater than or equal to 10/10/2006

Set Filter Data as to Date, then type >=20/10/2006.

Find and Filter TextFind and Filter Text option allows you to search filter data in the MER Analyzer supported

files. It also allows you to create and delete custom filters.

To find and filter data in the log files,

1 Click Find Filter Text on the right pane of the user interface. The Find Filter Text dialog

box appears.

2 Type the data, then click Search or Filter as required.

To save filter, configure the filter options as required then click Save Filter.

To delete filter, click Delete Filter.

Searching online knowledge databasesMER Analyzer uses these online knowledge databases to search terms in the files.

• http://kb.mcafee.com

• http://www.processlibrary.com

• http://eventid.net

Getting Started with MER AnalyzerFind and Filter Text


http://kb.mcafee.com/http://www.processlibrary.com/http://eventid.net/http://eventid.net/http://www.processlibrary.com/http://kb.mcafee.com/


18/28

• http://www.goggle.com

• https://bugzilla.corp.nai.org

To search terms in online database, right-click a value, then select Select Cell. Right-click the

selected value, then select the required database.

Updating MER AnalyzerMER Analyzer updates automatically on start up. It also checks for updates regularly (by default

hourly) when MER Analyzer is running.

To update MER Analyzer manually, click Help | Check for updates.

Getting Started with MER AnalyzerUpdating MER Analyzer


http://www.goggle.com/https://bugzilla.corp.nai.org/https://bugzilla.corp.nai.org/http://www.goggle.com/


19/28

Using MER Analyzer


Working with Network Security Platform encrypted files (.enc)

Working with EWS files

Using Rule Builder

Working with Network Security Platform encryptedfiles (.enc)

The MER Analyzer Log Wizard parses the following Network Security Platform log files:

• Ems.log

• EMSout.log

• Sensor.log

• Sensor.dbg

• Encrypted .enc files

• aid_*.log

NOTE: Sensor.log, aid_*.log, and Sensor.dbg files are included in the .enc files.



20/28

Filtering files based on log error categoryErrors are categorized as Error, Audit, or Info. You can filter the log file details displayed in

columns based on log error category, including:• All

• Error

• Info

• Audit

To filter log details, select the log error category from the Select Category to Display

drop-down menu.

Exporting decrypted .enc filesLog wizard has the ability to export decrypted trace files.

To export the decrypted .enc file, right-click Log Wizard on the MER Explorer then select

Export All. Specify the required location, then click OK .

Adding new product categories to Network Security Platformonline error code database

Use this task to add new product categories to Network Security Platform online error code

database.

Using MER AnalyzerWorking with Network Security Platform encrypted files (.enc)



21/28

Task

1 Log in to the WebMER at: http://mer.mcafee.com/techsupport/.

2 Click Log Wizard | LogWizard New Category.

3 The ProductName is Network Security Platform by default. Type the new category

name, then click Add.

Editing errors

You can also edit the details of specific errors from LogWizard in WebMER.

Task


2 Click Log Wizard, then click the required code to edit. The LogWizard Item page appears

with the code details.

3 Edit the code as required, then click Update.

Deleting errors

Use this task to delete errors from LogWizard in WebMer.

Task


2 Click Log Wizard, then click Delete on the required code row and confirm deletion.

Adding new Error codes to the Network Security Platform online

databaseUse this task to add new Error codes to the Network Security Platform online database.

Task

1 Log in to the WebMER at:http://mer.mcafee.com/techsupport/.

2 Click Log Wizard | LogWizard New Item.

3 Configure the error code details as required, then click Add.

Working with EWS filesMER Analyzer supports EWS archive files (.zip). It extracts the errors and real-time log propertiesfrom the archive file. It also support a dictionary that is used as database of pre-configured

errors while detecting errors in the archive file.

Configuring Real-Time Logs settings

Use this task to configure real-time properties chart settings.

Using MER AnalyzerWorking with EWS files


http://mer.mcafee.com/techsupport/http://mer.mcafee.com/techsupport/http://mer.mcafee.com/techsupport/http://mer.mcafee.com/techsupport/http://mer.mcafee.com/techsupport/http://mer.mcafee.com/techsupport/http://mer.mcafee.com/techsupport/http://mer.mcafee.com/techsupport/


22/28

Task

1 Start MER Analyzer, then open the EWS archive file (.zip).

2 On the General tab, click Real-Time Logs. The Real-Time Properties Chart window appears

in the right pane.

3 Click Properties. The Property Selection dialog box appears.

4 Select the required real-time property(s), then click Add Selected Item(s) | Done.

5 Select the Date Range for which you require to generate real-time properties chart, then

click Start to view the real-time properties chart.

Configuring Error Detection settings

Use this task to configure error detection settings.

Task

1 Start MER Analyzer, then open the EWS archive file (.zip).

2 On the General tab, click Error Detection. The Error Detection Settings window appearsin the right pane.

3 Select the date range for which you require to generate error detection result.

4 Click Edit. The Select Terms dialog box appears.

5 Add the term(s), then click Done.

6

Select the log file category and click .

7 Click Start to view the error detection result.

EWS Dictionary ManagerMER Analyzer supports EWS Dictionary Manager that is used as database of pre-configured

errors while detecting errors in the archive file.

To add error logs to the dictionary,

1 Click Edit | Preferences | EWS Dictionary. The Dictionary Manager appears.

2 Click Add Item, then configure the necessary details.

3 Click OK .

To delete an error log from the dictionary, select the error message then click Delete Item

and confirm deletion.

Using Rule BuilderTo launch Rule Builder, click Tools | Rule Building and Catalog.... You can create a new

rule, open an existing rule, and administrators can approve uploaded rule files.

McAfee Customer Support users should add their WebMER credentials in Edit | Preferences

| WebMER login details to :

• Mark rules for an internal McAfee audience only

• Upload rules for sharing

Using MER AnalyzerUsing Rule Builder



23/28


24/28

7 On the Rule tab the rules are grouped in categories. Right click on the product name, then

select Create Category. The New Category window appears.

8 Type a category name then click Add Category. The category appears in Rule tab.

9 To add rules to the category, right click on the category then select Create Rule. The

Rule Builder window appears.

10 Type a name to rule and other rule information, then click Add Rule. The Rule Builder — Add Criteria dialog box appears.

11 To add criteria to the rule, select a criteria from the list then click the logical operation from

the Expression Builder. The list logical criteria for the rule appears in the Expression

Builder.

12 Click Add Criteria to add the new rule. The new rule now appears on the Rule tab of

Rule view.

Creating a new component entry

MERAnalyzer supports six types of components: Registry, File, Event, Process, Service,

and Driver. Use this task create to a new component entry.

Task

1 In the Components tab of the Rule view, right click on a component type then select

Create Entry. The new entry window appears.

2 Type the Operation details and other required component details, then click Create.

Importing existing component entry

MERAnalyzer supports six types of components: Registry, File, Event, Process, Service,

and Driver. You can import these component entries from the local machine, an existing rule

file, or a .TGZ file.

Use this task to import an existing component entry.

Task

1 To import component entries from the local machine, right click on a component type then

select Machine.

• When importing component entries for a file from the local machine, on the Select the

File Options window browse for the file then add the text you want search the file for.

NOTE: You can also select text and right click to add it as search criteria.

• When importing component entries for an event from the local machine, select the

Windows Event to add as criteria then select the description text to search.

2 To import component entries from an existing rule file, right click on a component type

then select Rule File. The Rule Builder appears.

a Select the Product name and Product version then click Next. The list of component

entries appears.

b Select the components from the list, then click Add. The component entries appear on

the Components tab of Rule view.

3 To import component entries from a .TGZ file, right click on a component type then select

MER file.




25/28

Browse for a .TGZ file on the local machine.a

b Select the component entries then click Add.

Editing a rule

Once a rule has been created it is added to the Rule view. The rule can be edited using theBasic tab. Use this task to edit an existing rule.

Task

1 Click Tools | Rule building and Catalog. The Rule Builder and Catalog wizard appears.

2 Select Open rule file, then click Next.

3 Select a Product Name and a Product Version, then click Next. The rule for the select

product and version appears on the Rule view.

NOTE: The Product name and Product Version fields contains all versions for all McAfee

for products which rule have not previously been created.

4 On the Basic tab, edit the required details then click Save All.

NOTE: A more detailed explaination is availabe in the Detail tab.

Uploading and sharing product rules

Uploader privileges are required to upload a rule. Contact DL Supportability MER if you require

Uploader rights. Use this task to upload and share product rules

Task

1 Open the rule file you want to upload.

2 Click Upload. The User Credentials window appears.

3 Type the email address and WebMER password, then click Login. Once the user is

authenticated with the server the Rule Upload window appears.

4 Select the rules to upload, then click Upload Rules. Before the rules are available to other

MERAnalyzer users, the uploaded rules should be approved by the administrator.

Approving uploaded rules

Administrator privileges are required to approve an uploaded rule. Contact DL Supportability

MER if you require Rule Administrator rights.

Rules uploaded by administrators are automatically approved and shared with other users.

Use this task to approve or reject uploaded rules

Task

1 Click Tools | Rule building and Catalog. The Rule Builder and Catalog wizard appears.

2 Select Approve Rules, then click Next. The User Credentials window appears.

3 Type in email address and WebMER administrator password, then click Login. The

Requests submitted for review window appears.



http://localhost/var/www/apps/conversion/tmp/scratch_5/DL%20Supportability%20MERhttp://localhost/var/www/apps/conversion/tmp/scratch_5/DL%20Supportability%20MERhttp://localhost/var/www/apps/conversion/tmp/scratch_5/DL%20Supportability%20MERhttp://localhost/var/www/apps/conversion/tmp/scratch_5/DL%20Supportability%20MERhttp://localhost/var/www/apps/conversion/tmp/scratch_5/DL%20Supportability%20MERhttp://localhost/var/www/apps/conversion/tmp/scratch_5/DL%20Supportability%20MER


26/28

4 In the Approve/Reject column, select Approved or Rejected then click Submit. The

approved rules are now available to other MERAnalyzer users.

Using Rule AnalyzerTo put the rules into operation, the user needs to run the Rule Analyzer engine. To open the

Rule Analyzer, click on the Rule Analysis in the MER Analyzer tree.

The Analyzer Task bar provides following options:

• Analyze — Use this to run the Rule engine

• Analyze Options — Use this to refine the rules

• View report — Use this to select error only or the full report

• Save — Use this to save the report in a .htm format.

Using MER AnalyzerUsing Rule Analyzer



27/28

Index

Ccancelling parsing 10

Lloading file 10

MMER Analyzer

loading file 10



28/28

Index

mer analyzer 2 1 walkthrough guide

Documents