linux-support-events.md

---

title: Troubleshoot missing events or alerts issues for Microsoft Defender for Endpoint on Linux description: Troubleshoot missing events or alerts issues in Microsoft Defender for Endpoint on Linux. ms.service: defender-endpoint ms.author: painbar author: paulinbar ms.reviewer: gopkr ms.localizationpriority: medium manager: bagol audience: ITPro ms.collection:

• m365-security
• tier3
• mde-linux ms.custom: admindeeplinkDEFENDER ms.topic: troubleshooting-general ms.subservice: linux search.appverid: met150 ms.date: 10/11/2024 appliesto:
  • Microsoft Defender for Endpoint Plan 1
  • Microsoft Defender for Endpoint Plan 2

---

Troubleshoot missing events or alerts issues for Microsoft Defender for Endpoint on Linux

This article provides some general steps to mitigate missing events or alerts in the Microsoft Defender portal.

Once Microsoft Defender for Endpoint has been installed properly on a device, a device page will be generated in the portal. You can review all recorded events in the timeline tab in the device page, or in advanced hunting page. This section troubleshoots the case of some or all expected events are missing. For instance, if all CreatedFile events are missing.

Missing network and login events

Microsoft Defender for Endpoint utilized audit framework from linux to track network and login activity.

1. Make sure audit framework is working.

   service auditd status

   expected output:

   ● auditd.service - Security Auditing Service
   Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2020-12-21 10:48:02 IST; 2 weeks 0 days ago
       Docs: man:auditd(8)
           https://github.com/linux-audit/audit-documentation
   Process: 16689 ExecStartPost=/sbin/augenrules --load (code=exited, status=1/FAILURE)
   Process: 16665 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
   Main PID: 16666 (auditd)
       Tasks: 25
   CGroup: /system.slice/auditd.service
           ├─16666 /sbin/auditd
           ├─16668 /sbin/audispd
           ├─16670 /usr/sbin/sedispatch
           └─16671 /opt/microsoft/mdatp/sbin/mdatp_audisp_plugin -d

2. If auditd is marked as stopped, start it.

   service auditd start

On SLES systems, SYSCALL auditing in auditd might be disabled by default and can be accounted for missing events.

1. To validate that SYSCALL auditing is not disabled, list the current audit rules:

   sudo auditctl -l

   if the following line is present, remove it or edit it to enable Microsoft Defender for Endpoint to track specific SYSCALLs.

   -a task, never

   audit rules are located at /etc/audit/rules.d/audit.rules.

Missing file events

File events are collected with fanotify framework. In case some or all file events are missing, make sure fanotify is enabled on the device and that the file system is supported.

List the filesystems on the machine with:

df -Th