How to debug the Symantec Endpoint Protection Manager

Article:TECH102413  |  Created: 2007-01-06  |  Updated: 2014-08-19  |  Article URL http://www.symantec.com/docs/TECH102413
Article Type
Technical Solution


Issue



Debug logging must be enabled for the Symantec Endpoint Protection Manager (SEPM) in Symantec Endpoint Protection 11.0 or 12.1.


Solution



Advanced logging for the SEPM console can be enabled by following these steps:

    1. Stop the Symantec Endpoint Protection Manager service
    2. Open the file C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\etc\conf.properties and find the line which reads scm.log.loglevel=WARNING and change it to 
      scm.log.loglevel=FINEST. If this line does not exist, add the line to the bottom of the file.

      To enable additional debug output for reports, notifications or proxy authentication see the optional lines to add at the end of this article.

      Note: For additional debug values besides FINEST, please see the Table of SEPM Logging Levels below.
       
    3. Start the Symantec Endpoint Protection Manager service
    4. Detailed log files will now be saved in the folder: C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\logs\
    5. Look for errors relating to the problem in the catalina.out and scm-server-0.log files.
    6. To collect all SEPM log files in a single zip bundle, run the file collectLog.cmd in the SEPM tools directory.

 

Logging for the SEPM console can also be enabled "on-the-fly" via a web browser URL:


Table of SEPM Logging Levels:

OFF Turns off logging.
SEVERE (default) SEVERE is a message level indicating a serious failure. In general SEVERE messages should describe events that are of considerable importance and which will prevent normal program execution. They should be reasonably intelligible to end users and to system administrators.
WARNING WARNING is a message level indicating a potential problem. In general WARNING messages should describe events that will be of interest to end users or system managers, or which indicate potential problems.
INFO INFO is a message level for informational messages. Typically INFO messages will be written to the console or its equivalent. So the INFO level should only be used for reasonably significant messages that will make sense to end users and system admins.
CONFIG CONFIG is a message level for static configuration messages. CONFIG messages are intended to provide a variety of static configuration information, to assist in debugging problems that may be associated with particular configurations. For example, CONFIG message might include the CPU type, the graphics depth, the GUI look-and-feel, etc.
FINE FINE is a message level providing tracing information. All of FINE, FINER, and FINEST are intended for relatively detailed tracing. The exact meaning of the three levels will vary between subsystems, but in general, FINEST should be used for the most voluminous detailed output, FINER for somewhat less detailed output, and FINE for the lowest volume (and most important) messages. In general the FINE level should be used for information that will be broadly interesting to developers who do not have a specialized interest in the specific subsystem. FINE messages might include things like minor (recoverable) failures. Issues indicating potential performance problems are also worth logging as FINE.
FINER FINER indicates a fairly detailed tracing message. By default logging calls for entering, returning, or throwing an exception are traced at this level.
FINEST FINEST indicates a highly detailed tracing message.
ALL Enables logging of all messages.

 

Symantec Endpoint Protection Manager Web Server access logs:

  • Version 11.0 (IIS)
  1. If IIS logs must be gathered in addition to the SEPM debug logs, then follow the steps below.

  2. Restart the IIS Admin service.
  • Version 12.1 (Apache)
  1. Follow the steps in the article linked below:

 

Other logs of interest on the Symantec Endpoint Protection Manager machine:

    • Console logs:
        • %temp%\scm-ui.log
        • %temp%\scm-ui.err
    • Logs for Secars/Secreg client communication processes (IIS task with SEP 11.0, Apache task with SEP 12.1):
        • %ProgramFiles%\Symantec\Symantec Endpoint Protection Manager\data\inbox\log\ersecreg.log
        • %ProgramFiles%\Symantec\Symantec Endpoint Protection Manager\data\inbox\log\exsecars.log
        • %windir%\system32\Logfiles\..\x.log (look for secars)

          The logging level of ersecreg.log can be increased by adjusting the registry value below (0 is least detailed, 4 is maximum and recommended for troubleshooting):
          32 bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SEPM]
          64 bit: [HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Symantec\Symantec Endpoint Protection\SEPM]
          "DebugLevel"=dword:00000004

          The maximum size of the ersecreg.log file can be set with the LogMaxDataLen value (the example below will set a maximum filesize of 200mb):
          [HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SEPM]
          "LogMaxDataLen"=dword:0c350000


          Optional setting to control the number of log files kept:
          [HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SEPM]
          "LogMaxRollingLogFiles"=dword:0000000a

          Note:
           On SEPM 11.0, Changes to Secars/Secreg debugging settings will not take effect until IIS is restarted using the following command-line: "iisreset.exe /restart". On SEPM 12.1, restart the "Symantec Endpoint Protection Manager Webserver" (semwebsrv) service.

          The secars log level can also be enabled "on-the-fly" by accessing this URL: http://localhost:8014/secars/secars.dll?action=48&logtype=4

 

Additional conf.properties log settings:

  • scm.log.logcount=5
    • By default two log files of each type are kept; the current ending -0.log, and the previous ending -1.log. The scm.log.logcount setting can increase the number of previous logs kept, which may be useful when trying to capture logs of a rare event.
  • scm.log.logsize=20000000
    • By default each log file is capped at 10mb, after which it moves the current log to *-1.log and begins a new empty *-0.log file. The scm.log.logsize setting can increase the size of each log file. It is specified in bytes, ie. 20000000 doubles the size to 20mb.
  • scm.log.troubleshoot=/inbox/agentinfo;/inbox/log/security;/inbox/log/system
    • This setting is used for troubleshooting logs which the SEPM are uploading to the database. Normally files in the SEPM inbox folders will be deleted once successfully uploaded to the database, with the scm.log.troubleshoot setting log files in any of the folders specified will be kept with a .bak extension after being uploaded. Addditional folders under /inbox/ can be specified separated by semicolon. Only use this setting temporarily, and be careful with the amount of disk space consumed.
  • scm.sr.troubleshoot=1
    • Used for troubleshooting scheduled reports - a copy of any scheduled reports that run will be saved in the tomcat\temp folder in .mht format.
  • scm.mail.troubleshoot=1
    • This setting will cause additional email debug output to be saved to the "tomcat/logs/catalina.out" log file.
  • scm.proxy.debug=1
    • Enable additional debug output related to proxy authentications.
  • scm.content.localtroubleshooting=1
    • (12.1 RU5+) Enable additional debug output related to definition delta creation.

 




Legacy ID



2007090612034148


Article URL http://www.symantec.com/docs/TECH102413


Terms of use for this information are found in Legal Notices