title | description | search.appverid | ms.service | ms.author | author | ms.reviewer | ms.localizationpriority | manager | audience | ms.collection | ms.topic | ms.subservice | ms.date | |||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Troubleshoot issues for Microsoft Defender for Endpoint on Linux RHEL6 |
Troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint on Linux |
met150 |
defender-endpoint |
dansimp |
dansimp |
gopkr |
medium |
dansimp |
ITPro |
|
conceptual |
linux |
05/01/2024 |
[!INCLUDE Microsoft Defender XDR rebranding]
Applies to:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender XDR
[!includePrerelease information]
Want to experience Defender for Endpoint? Sign up for a free trial.
This article provides guidance on how to troubleshoot issues you might encounter with Microsoft Defender for Linux on Red Hat Linux 6 (RHEL 6) or higher.
After the package (mdatp_XXX.XX.XX.XX.x86_64.rpm) is installed, take actions provided to verify that the installation was successful.
Use the following command to check the service health:
mdatp health
Use the following command to verify that the service is running:
service mdatp status
Expected output: mdatp start/running, process 4517
The distribution and kernel versions should be on the supported list.
Use the following command to get the distribution version:
cat /etc/redhat-release (or /etc/system-release)
Use the following command to get the kernel version:
uname -r
The expected output is that the process is running.
Use the following command to check:
pidof mdatp_audisp_plugin
There should be nine modules loaded.
Use the following command to check:
lsmod | grep talpa
Expected output: Enabled
talpa_pedconnector 878 0
talpa_pedevice 5189 2 talpa_pedconnector
talpa_vfshook 32300 1
talpa_vcdevice 4947 1
talpa_syscall 9127 0
talpa_core 90699 4 talpa_vfshook,talpa_vcdevice,talpa_syscall
talpa_linux 29424 5 talpa_vfshook,talpa_vcdevice,talpa_syscall,talpa_core
talpa_syscallhookprobe 882 0
talpa_syscallhook 14987 2 talpa_vfshook,talpa_syscallhookprobe
lsmod | grep talpa | wc -l
Expected output: 9
cat /proc/sys/talpa/interceptors/VFSHookInterceptor/status
Debug log files (apart from the 'mdatp diagnostic create' bundle)
/var/log/audit/audit.log
/var/log/messages
semanage fcontext -l > selinux.log
Performance and Memory
top -p <wdavdaemon pid>
pmap -x <wdavdaemon pid>
Where <wdavdaemon pid>
can be found using pidof wdavdaemon
.