Forum Discussion

RyanLindsay's avatar
RyanLindsay
Copper Contributor
Aug 26, 2024

mdatp configuration and errors on RHEL 8

Hi

I've installed mdatp 101.24062.0001 on a couple of our servers to see how well it works with the applications. 

I've followed the instructions for installation and it's registered in the defender portal. So it's seems to scan and communicate with the portal. As far as that goes, it's working.

I have been looking at the log files however. 

I get this error repeated constantly

[error]: Could not connect to audisp plugin. Trying again.
[1257445][140468005836544][2024-08-26 01:32:14.404491 UTC][error]: {"code":{"category":"generic","value":111,"message":"Connection refused"},"call_stack":{"frames":[{"file":"socket.cpp","line":234}]},"context":["Error connecting to server socket"]}
[1257445][140468005836544][2024-08-26 01:32:14.404499 UTC][error]: {"code":{"category":"generic","value":107,"message":"Transport endpoint is not connected"},"call_stack":{"frames":[{"file":"auditd_connector.cpp","line":216}]},"context":[]}
[1257445][140468005836544][2024-08-26 01:32:14.404506 UTC][warning]: Operation failed, retrying in 10000 ms...

Now, a couple of points here. Looks like it's trying to connect to audisp daemon. My understanding was that auditd and audisp was deprecated in RHEL 8. 

Audit 3.0 replaces audispd with auditd in RHEL 8 - Red Hat Customer Portal

So, why's it trying to connect to it? Why isn't it being a bit more vocal about something being not working

Also, the default is to have eBPF enabled on this version of the client. I thought the whole point of that was to bypass the need for contacting the audit daemon. 

I also then get a bunch of 

[error]: File descriptor is empty, kauth.action: 2097152 request.type: 2

Which, yeah, informative. About as useful as a chocolate fire guard. 

 

Some other questions. 

How do you create a policy for the client to act on. For example, how do I define a policy for quarantine. Is it supposed to magically get one from the central defender server? In which case i'm assuming the one defined for our windows hosts will be fairly useless. 

Can you create a local one. Looks like you can create various .json files to configure it locally ?

 

I am using this on a email server to scan incoming and outgoing mail. I've set it to realtime protection mode for that. Is that a valid config in that environment?

 

  • gargank1895's avatar
    gargank1895
    Icon for Microsoft rankMicrosoft
    Aug 27, 2024
    Messages that you are observing related to audis plugin are benign, please ignore, we will clean this up in next upcoming releases.