How to use the advanced debug logging options for the Symantec Endpoint Protection client in SymHelp

Article:TECH207795  |  Created: 2013-06-27  |  Updated: 2013-12-02  |  Article URL http://www.symantec.com/docs/TECH207795
Article Type
Technical Solution

Product(s)

Issue



It is necessary to collect more detailed information from a SEP client


Environment



Windows OS


Solution



This document describes the Symantec Help (SymHelp) tool’s advanced debug logging settings for Symantec Endpoint Protection. The following three steps will help ensure sufficient, timely, and accurate logs are collected.

  1. Configure and enable debug logs.
    Set log levels and max log file sizes. In most cases use the default settings.
  2. Generate log data.
    Reproduce the issue and allow the logs files to populate.
  3. Collect the logs.
    SymHelp puts the populated logs into an .sdbz file for upload to Symantec. 

Allow sufficient time to generate log data after reproducing the issue.
Capturing good data the first time will reduce the need to go back for more. If an issue is easily reproduced, it may not take long to generate logs. An intermittent problem may take more time. For best results and fastest case resolution, make a list of the steps taken to reproduce the issue. These can be added under “Issue” on the customer information page of SymHelp.

Note: The following document explains how to run SymHelp in debug logging mode where these options are presented:
How to collect debug logging data for a Symantec Support case

The Advanced Debug logging dialog displays the current Debug Log settings as configured in the registry. These are:

  1. Vpdebug logging
    Vpdebug controls the logging for the Antivirus and Antispyware component of SEP.
  2. SMC debug logging
    SEP client debug logs are useful for troubleshooting client to SEPM communication problems and client functionality problems.
  3. Sylink debug logging
    Sylink logs are for troubleshooting, communication problems and definitions update issues.
  4. WPP debug logging
    (WPP) Windows software trace preprocessor is a preprocessor to implement software tracing in Windows drivers and applications. WPP logs are useful when troubleshooting driver level conflicts or problems with the SEP client.

To reach the advanced settings, check “Enable product debug logging” and click “Advanced”. 

Check Enable product debug

 

 


 

Vpdebug logging, SMC debug logging, and Sylink debug logging are configured in this window. The settings shown here are the default settings. These will be chosen if you check "Enable product debug logging" and "Next" without using the advanced button. They do not reflect the configuration of these settings prior to the use of this tool and will put those settings back the way they were when this task is done.

These are the standard settings

 

  • For Vpdebug logging, the LX ALL setting will gather the most information.
  • For SMC debug logging, The 0 (Debug) setting will gather the most information. Default log file size is 50MB. Only change Delta debug level on the advice of a support engineer.
  • For Sylink debug logging, default is the same as 3. Setting 4 is more verbose. Also, only use Sylink_VolatileOpState* settings on the advice of a support engineer.
    • Two things are necessary for Sylink debugging to work.
      • SMC debug must be enabled.
      • The SEP client must be restarted to begin and end generating log data.  To restart SEP: Start > Run > smc –stop then Start > Run > smc –start (smc –stop/start will not work if the client GUI is open.) This step should be performed initially when the UI prompts the user to reproduce the issue and finally (to disable the logging completely) after data collection is complete  

 

For WPP debug logging, there are two choices, “WPP” and “WPP reboot”.

  • If an issue is easily reproduced, choose “WPP”, configure desired settings, reproduce the issue, allow adequate time to generate log data then choose next to collect log data.

 

  • If an issue occurs at startup, use “WPP reboot” configure desired settings (default settings are shown here), reproduce the issue, allow adequate time to generate log data then choose next to collect log data.

WPP reboot

The General settings are Max duration, MaxFileSizeMB, MaxFiles. Duration is the length of time (in milliseconds) that WPP logging will be done. MaxFileSize is the maximum size (in MB) of the log file. MaxFiles is the number of old log files to keep before starting a new log. Only change these settings on the advice of a support engineer.

 




Article URL http://www.symantec.com/docs/TECH207795


Terms of use for this information are found in Legal Notices