How to debug the Symantec Endpoint Protection Manager
|Article:TECH102413|||||Created: 2007-01-06|||||Updated: 2013-02-26|||||Article URL http://www.symantec.com/docs/TECH102413|
Debug logging must be enabled for the Symantec Endpoint Protection Manager (SEPM) in Symantec Endpoint Protection 11.0 or 12.1.
Advanced logging for the SEPM console can be enabled by following these steps:
- Stop the Symantec Endpoint Protection Manager service
- Open the file C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\etc\conf.properties and find the line which reads scm.log.loglevel=WARNING and change it to
scm.log.loglevel=FINEST. If this line does not exist, add scm.log.loglevel=FINEST to the bottom of the file.
To debug SEPM notifications, also add: scm.mail.troubleshoot=1
To debug SEPM proxy authentication, also add: scm.proxy.debug=1
NOTE: For additional debug values besides FINEST, please see the Table of SEPM Logging Levels below.
- If IIS logs must be gathered in addition to the SEPM debug logs, then follow the steps below.
Note: IIS logging applies only to SEPM 11.
- If logging was enabled for IIS, restart the IIS Admin service. This step may be skipped on SEPM version 12.1.
- Start the Symantec Endpoint Protection Manager service
- Detailed log files will now be saved in the folder: C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\logs\
- Look for errors relating to the problem in the catalina.out and scm-server-0.log files.
Logging for the SEPM console can also be enabled "on-the-fly" via a web browser URL:
- Example, typed into a browser on the SEPM machine: http://localhost:9090/servlet/ConsoleServlet?ActionType=ConfigServer&logLevel=FINEST
Table of SEPM Logging Levels:
|OFF||Turns off logging.|
|SEVERE (default)||SEVERE is a message level indicating a serious failure. In general SEVERE messages should describe events that are of considerable importance and which will prevent normal program execution. They should be reasonably intelligible to end users and to system administrators.|
|WARNING||WARNING is a message level indicating a potential problem. In general WARNING messages should describe events that will be of interest to end users or system managers, or which indicate potential problems.|
|INFO||INFO is a message level for informational messages. Typically INFO messages will be written to the console or its equivalent. So the INFO level should only be used for reasonably significant messages that will make sense to end users and system admins.|
|CONFIG||CONFIG is a message level for static configuration messages. CONFIG messages are intended to provide a variety of static configuration information, to assist in debugging problems that may be associated with particular configurations. For example, CONFIG message might include the CPU type, the graphics depth, the GUI look-and-feel, etc.|
|FINE||FINE is a message level providing tracing information. All of FINE, FINER, and FINEST are intended for relatively detailed tracing. The exact meaning of the three levels will vary between subsystems, but in general, FINEST should be used for the most voluminous detailed output, FINER for somewhat less detailed output, and FINE for the lowest volume (and most important) messages. In general the FINE level should be used for information that will be broadly interesting to developers who do not have a specialized interest in the specific subsystem. FINE messages might include things like minor (recoverable) failures. Issues indicating potential performance problems are also worth logging as FINE.|
|FINER||FINER indicates a fairly detailed tracing message. By default logging calls for entering, returning, or throwing an exception are traced at this level.|
|FINEST||FINEST indicates a highly detailed tracing message.|
|ALL||Enables logging of all messages.|
Other logs of interest on the Symantec Endpoint Protection Manager machine:
- Console logs:
- Logs for Secars/Secreg client communication processes (IIS task with SEP 11.0, Apache task with SEP 12.1):
- %ProgramFiles%\Symantec\Symantec Endpoint Protection Manager\data\inbox\log\ersecreg.log
- %ProgramFiles%\Symantec\Symantec Endpoint Protection Manager\data\inbox\log\exsecars.log
- %windir%\system32\Logfiles\..\x.log (look for secars)
- The logging level of ersecreg.log can be increased by adjusting the registry value below (0 is least detailed, 4 is maximum and recommended for troubleshooting):
[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SEPM]
Note: On SEPM 11.x, Changes to Secars/Secreg debugging settings will not take effect until IIS is restarted using the following command-line: "iisreset.exe /restart"
Article URL http://www.symantec.com/docs/TECH102413