How to enable extended debugging on an Critical Systems Protection (SCSP) agent for troubleshooting purposes
|Article:TECH113825|||||Created: 2007-01-22|||||Updated: 2011-10-13|||||Article URL http://www.symantec.com/docs/TECH113825|
The issue being experienced is not generating enough information in the logs or are not extensive enough to find root cause and you want to enable debugging in the SCSP agent to see more information for the IPS and or IDS modules.
Depending on the situation you may need to have more extensive IDS and or IPS logging.
- In either or both cases the first step is to stop the SCSP agent services on machine to make the necessary changes.
To enable IDS debugging:
Locate the file called scspagent/IDS/system/LocalAgent.ini and open it with an text editor
C:\Program Files\Symantec\Critical System Protection\Agent\IDS\system\LocalAgent.ini
Enable the additional logging in the "Log Debugs" section of the file by removing "#" from the start of the line and changing the values at the end of the line from "=0" to "=1". Depending upon need you may enable just the lines that you are concerned with.
For example to enable full IDS debugging the "Log Debugs" section would be the following:
Event Log Collector=1
Process Event Module=1
Policy Config Module=1
C2 Log Collector=1
IPS Driver Collector=1
To enable IPS debugging:
IPS debugging is set by using the sisipsconfig utility.
The agent config tool is located in the following directories on an agent
On Windows, sisipsconfig.exe is located in the agent\ips\bin directory.
On UNIX-based operating systems, the sisipsconfig tool is named sisipsconfig.sh. It is located in the agent/ips directory.
Once you have located the proper path enable the additional debugging by executing sisipsconfig with the "-trace" switch
Windows: sisipsconfig.exe -trace
Unix: sisipsconfig.sh -trace
Once you have enabled the desired debugging start the SCSP agent services to utilize the new settings.
Remember when you are done to reverse this process to prevent any over logging and space issues due to the extended logging. However in most cases customers have ran this consistently for months with no issues and is dependent on the resources at play in your environment.
If you are either working with support or proactively gathering data to open a case, you will want to reproduce the issue up to three times on interactive processes if possible to create a pattern. In some cases such as services you will need to run until the issue presents itself.
Once the issue has been logged, gather the data with a getagent report. Below is a Knowledge Base article showing multiple methods to gather the data
How to collect information from Symantec Critical System Protection (SCSP) Agents.
Article URL http://www.symantec.com/docs/TECH116519
Article URL http://www.symantec.com/docs/TECH113825