Skip to content

Latest commit

 

History

History
146 lines (95 loc) · 3.38 KB

linux-support-rhel.md

File metadata and controls

146 lines (95 loc) · 3.38 KB
Raw
title description search.appverid ms.service ms.author author ms.reviewer ms.localizationpriority manager audience ms.collection ms.topic ms.subservice ms.date
Troubleshoot issues for Microsoft Defender for Endpoint on Linux RHEL6
Troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint on Linux
met150
defender-endpoint
dansimp
dansimp
gopkr
medium
dansimp
ITPro
m365-security
tier3
mde-linux
conceptual
linux
05/01/2024

Troubleshoot issues for Microsoft Defender for Endpoint on Linux RHEL6

[!INCLUDE Microsoft Defender XDR rebranding]

Applies to:

[!includePrerelease information]

Want to experience Defender for Endpoint? Sign up for a free trial.

This article provides guidance on how to troubleshoot issues you might encounter with Microsoft Defender for Linux on Red Hat Linux 6 (RHEL 6) or higher.

After the package (mdatp_XXX.XX.XX.XX.x86_64.rpm) is installed, take actions provided to verify that the installation was successful.

Check the service health

Use the following command to check the service health:

mdatp health

Verify that the service is running

Use the following command to verify that the service is running:

service mdatp status

Expected output: mdatp start/running, process 4517

Verify the distribution and kernel version

The distribution and kernel versions should be on the supported list.

Use the following command to get the distribution version:

cat /etc/redhat-release (or /etc/system-release)

Use the following command to get the kernel version:

uname -r

Check if mdatp audisp process is running

The expected output is that the process is running.

Use the following command to check:

pidof mdatp_audisp_plugin

Check TALPA modules

There should be nine modules loaded.

Use the following command to check:

lsmod | grep talpa

Expected output: Enabled

talpa_pedconnector       878  0 

talpa_pedevice          5189  2 talpa_pedconnector 

talpa_vfshook          32300  1 

talpa_vcdevice          4947  1 

talpa_syscall           9127  0 

talpa_core             90699  4 talpa_vfshook,talpa_vcdevice,talpa_syscall 

talpa_linux            29424  5 talpa_vfshook,talpa_vcdevice,talpa_syscall,talpa_core 

talpa_syscallhookprobe      882  0 

talpa_syscallhook      14987  2 talpa_vfshook,talpa_syscallhookprobe 
lsmod | grep talpa | wc -l

Expected output: 9

Check TALPA status

cat /proc/sys/talpa/interceptors/VFSHookInterceptor/status

Debug log files (apart from the 'mdatp diagnostic create' bundle)

/var/log/audit/audit.log 

/var/log/messages 

semanage fcontext -l > selinux.log

Performance and Memory

top -p <wdavdaemon pid>      

pmap -x <wdavdaemon pid>

Where <wdavdaemon pid> can be found using pidof wdavdaemon.

[!INCLUDE Microsoft Defender for Endpoint Tech Community]