epolicy Orchestrator Log Files

(1)

Reference Guide

(2)

COPYRIGHT

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARK ATTRIBUTIONS

AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.

LICENSE INFORMATION License Agreement

NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.

(3)

1

Preface

This guide provides the information you need to troubleshoot your McAfee product using the log files. Contents

About this guide

Finding product documentation

About this guide

This information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized.

Audience

McAfee documentation is carefully researched and written for the target audience. The information in this guide is intended primarily for:

• Administrators — People who implement and enforce the company's security program.

• Users — People who use the computer where the software is running and can access some or all of its features.

Conventions

This guide uses the following typographical conventions and icons.

Book title or Emphasis Title of a book, chapter, or topic; introduction of a new term; emphasis.

Bold Text that is strongly emphasized.

User input or Path Commands and other text that the user types; the path of a folder or program.

Code A code sample.

User interface Words in the user interface including options, menus, buttons, and dialog boxes.

Hypertext blue A live link to a topic or to a website.

Note: Additional information, like an alternate method of accessing an option. Tip: Suggestions and recommendations.

Important/Caution: Valuable advice to protect your computer system,

software installation, network, business, or data.

Warning: Critical advice to prevent bodily harm when using a hardware

product.

(6)

What's in this guide

This guide is organized to help you find the information you need. The log files detailed in this guide represent a subset of all ePO log files, with particular attention to those most commonly used when managing and troubleshooting product issues. McAfee ePolicy Orchestrator

Finding product documentation

McAfee provides the information you need during each phase of product implementation, from

installation to daily use and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase.

Task

1 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com.

2 Under Self Service, access the type of information you need:

To access... Do this...

User documentation _{1 Click Product Documentation.}

2 Select a Product, then select a Version. 3 Select a product document.

KnowledgeBase _{• Click Search the KnowledgeBase for answers to your product questions.} • Click Browse the KnowledgeBase for articles listed by product and version.

1

Preface

Finding product documentation

(7)

2

McAfee ePolicy Orchestrator log files

The log files detailed in this guide represent a subset of all ePolicy Orchestrator log files, with

particular attention to those most commonly used when managing and troubleshooting product issues. Contents

Log files and their categories

About log file path variables, file size and backup logs Logging levels for debugging

Agent activity log

Adjusting the Orion log level Troubleshooting policy updates Interpreting Windows error codes

Log files and their categories

McAfee ePolicy Orchestrator generates a record of its activities and stores the information in many log files.

These log files are separated into four categories:

• Installer logs — Include details about installation path, user credentials, database used, and communication ports configured.

• Server logs — Include details about server functionality, client event history, and administrator services.

• Agent logs — Include details about agent installation, wake-up calls, updating, and policy enforcement.

• Rogue System Detection logs — Include details about Rogue System Detection install and uninstall, and Sensor actions.

Installer logs

Installer log files contain details about the McAfee ePolicy Orchestrator installation process including: • Actions taken by specific components

• Administrator services used by the server • Success and failure of critical processes

(8)

Table 2-1 Installer logs

Log file name Description Location

Core-install.log Generated during ePolicy Orchestrator installation. This file contains details such as:

• Creation of server database tables • Installation of server components

[InstallDir] \Installer\core

epo-install.log Created when the ePolicy Orchestrator installer calls

the Mercury ANT installer. [InstallDir]\Installer\epo EPO460-Checkin

-Failure.log Generated when the installer fails to check in any ofthe following package types: • Extensions • Plug-ins • Deployment packages • Agent packages %temp%\McAfeeLogs EPO460-CommonSetup

.log Contains details about ePolicy Orchestrator 4.6 MSIinstaller including: • CustomAction logging

• SQL, DTS (Microsoft Data Transformation Services), and service related calls

• Registering and unregistering DLLs

• Files and folders marked for deletion at reboot

%temp%\McAfeeLogs

EPO460-Install-MSI

.log The primary McAfee ePO installation log. This file logsall details about the installation including: • Installer actions

• Installation failures

%temp%\McAfeeLogs

2

McAfee ePolicy Orchestrator log files Log files and their categories

(9)

Server logs

Server log files contain details on server functionality and various administrator services used by ePolicy Orchestrator version 4.6.

Table 2-2 Server logs

<AgentGuid> _<Timestamp> _Server.xml

Contains details about policy updating issues. To enable this file:

1 Browse to the following registry key: HKEY_LOCAL_MACHINE

\Software\Network Associates\ePolicy Orchestrator \

2 create the following DWORD with value 1:

SaveAgentPolicy

3 Restart the McAfee ePolicy Orchestrator 4.6.0 Server

(Apache) service.

McAfee recommends this file be enabled for the minimum duration necessary to capture the required information, as the resulting files grow rapidly.

<InstallDir>\DB \DEBUG

EpoApSvr.log Contains details related to repository actions such as: • Pull tasks

• Checking in deployment packages to the repository • Deleting deployment packages from the repository

<InstallDir>\DB \Logs

Errorlog .<CURRENT _DATETIME>

Contains details related to the Apache service. This file is not present until after the Apache service is started for the first time.

<InstallDir> \Apache2\logs Eventparser.log Contains details about the ePolicy Orchestrator event

parser services, such as product event parsing success or failure.

Jakarta_service

_<DATE>.log Contains details about the McAfee ePO Application Serverservice. This file is not present until after the Tomcat service is started for the first time.

<InstallDir> \Server\logs Localhost

_access_log .<DATE>.txt

Records all requests from client systems received by the McAfee ePO server. This file is not present until after the Tomcat service is started for the first time.

<InstallDir> \Server\logs Orion.log Contains details on server functionalities and all extensions

loaded by default. This file is not present until after the McAfee ePO Application Server service is started for the first time.

<InstallDir> \Server\logs

Replication.log The McAfee ePO server replication log file. This file is generated when all of the following are true:

• There are distributed repositories. • A replication task has been configured. • A replication task has run.

McAfee ePolicy Orchestrator log files

(10)

Table 2-2 Server logs (continued)

Server.log Contains details related to agent-server communications.

The Siteinfo.ini file is updated when server port numbers are changed. This log file contains details about the version of Siteinfo.ini file and changed port numbers.

Stderr.log Contains any Standard Error output that the Tomcat service captures. This file is not present until after the Tomcat service is started the first time.

<InstallDir> \Server\logs Table 2-3 File locations in cluster installations

Log file name Location

Jakarta_service_<DATE>.log [InstallDir]\Bin\Server\logs Localhost_access_log.<DATE>.txt [InstallDir]\Bin\Server\logs

Orion.log [InstallDir]\Bin\Server\logs

Stderr.log [InstallDir]\Bin\Server\logs

Agent logs

Agent log files contain actions triggered or taken by the McAfee Agent. Table 2-4 Agent logs

Agent_<system>

.log Generated on client systems when the server deploys anagent to them. This file contains details related to: • Agent-to-server communication

• Policy enforcement • Other agent tasks

<Agent DATA Path> \DB

FrmInst

_<system>.log Generated when the FrmInst.exe is used to install the_{McAfee Agent. This file contains:} • Informational messages.

• Progress messages.

• Failure messages if installation fails.

%temp%\McAfeeLogs

MCScript.log Contains the results of script commands used during agent deployment and updating. To enable the DEBUG mode for this log, set the following DWORD value on the client’s registry key: HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\TVD\SHARED COMPONENTS\FRAMEWORK \DWDEBUGSCRIPT=2

McAfee recommends that you delete this key when you are finished troubleshooting.

<Agent DATA Path> \DB

MfeAgent.MSI

.<DATE>.log Contains details about the MSI installation of the agent. %temp%\McAfeeLogs

2

McAfee ePolicy Orchestrator log files Log files and their categories

(11)

Table 2-4 Agent logs (continued)

PrdMgr_<SYSTEM>

.log Contains details about agent communications with otherMcAfee products. <Agent DATA Path>\DB UpdaterUI

_<system>.log Contains details of the updates to managed products onthe client system. %temp%\McAfeeLogs

Agent error logs

When the agent traps errors, they are reported in Agent error logs. Agent error logs are named for their primary log counterpart. For example, when errors occur while performing client tasks, the MCScript_Error.log file is created. Error logs contain only details about errors.

Rogue System Detection logs

Rogue System Detection log files contain details about the installation of and actions performed by the Rogue System Sensor. These logs are located on the system where the sensor is deployed.

Table 2-5 Rogue System Detection logs

RSDSEN450-Install

-MSI.log Generated on client systems when the serverdeploys a Rogue System Sensor to a client system. This file contains details related to the sensor install.

%windir%\temp

RSDSEN450-Uninstall

-MSI.log Generated on client systems when the serverremoves a Rogue System Sensor from a client system. This file contains details related to sensor uninstall.

%windir%\temp

RSDSensor_out.log Contains details about all actions performed by the

sensor. Program Files\McAfee\RSD Sensor

Rogue System Sensor log file configuration

The Rogue System Sensor log file (RSDSensor_out.log) can be configured to log specific details. Use the RSSensor_log.cfg to configure the Rogue System RSDSensor_out.log with the following values: • DEBUG — The most detail available. This setting is useful when very detailed information is

necessary for advanced troubleshooting.

• INFO — Provides a high level of detail. This setting is useful when working with product support to resolve specific issues.

• WARN — Provides a moderate level of detail appropriate for most troubleshooting scenarios. • ERROR — Provides the lowest level of logging.

Use the following table to set log properties to output the details you need. Table 2-6 RSSensor_log.cfg properties and values

Property Description Default

value Modify value fortroubleshooting

log4cplus.rootLogger This is the root logger. All loggers that do not have a specifically assigned value use the value set here.

WARN DEBUG

log4cplus.logger.

RSDSensor.NetListener This is the logger for networktraffic visible to the sensor. WARN DEBUG

(12)

Table 2-6 RSSensor_log.cfg properties and values (continued)

Property Description Default

value Modify value fortroubleshooting

log4cplus.logger.

RSDSensor.Resolver This is the logger for the hostresolver which the sensor uses to determine operating system information.

WARN DEBUG

log4cplus.logger.

RSDSensor.ServerCom This is the logger for controllingthe level of log messages between the sensor and the server.

INFO DEBUG

About log file path variables, file size and backup logs

The locations of log files depend on how and where ePolicy Orchestrator and the agent is installed in your environment. The following table defines the path variables used to describe log file locations in this document.

Table 2-7 Path variables

Variable Description

<Agent DATA Path> To determine the actual location of the agent data files, view this registry key HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\TVD\SHARED

COMPONENTS\FRAMEWORK\DATA PATH. For more information, see Agent

installation directory in the ePolicy Orchestrator Product Guide or Help.

%temp% This is the Temp folder of the currently logged on user. To access this folder, select Start | Run, then type %temp% in the Open text box, and click OK.

<InstallDir> The default location of the ePolicy Orchestrator server software is C:\PROGRAM FILES\MCAFEE\EPOLICY ORCHESTRATOR

Log file size and backup logs

When a log file reaches it maximum size, backup is added before the file name extension and a new log file is created. For example, when Agent_<SYSTEM>.log reaches it maximum size, it is renamed Agent_<SYSTEM>_backup.log. If a backup log already exists, it is overwritten. Depending on how recently the backup was created, it might contain current entries. Examine both log files to make sure you view all current entries.

To change the log size, create the DWORD value LOGSIZE in the registry key HKEY_LOCAL_MACHINE \Software\Network Associates\ePolicy Orchestrator, then set the value data to the size desired. For example, 20=20MB.

Logging levels for debugging

This section provides information about setting the logging levels for logs in general.

For information about adjusting the logging of the Tomcat servlet container, see Adjusting the Orion

log level.

2

About log file path variables, file size and backup logs

(13)

The scope and depth of the information in most log files are determined by the log level, a value ranging from 1 to 8.

• Messages logged at each level include all messages at the current level and all lower logging levels. • The default value (7) is generally considered adequate for ordinary debugging.

• Log level 8 produces output, including every SQL query, whether or not there is an error. Log level 8 also provides communication details for troubleshooting network and proxy server issues. The following table describes each message type and logging level.

Table 2-8 Messages reported at each log level

Message type Description Logging level

e (error) User error message, translated 1 w (warning) User warning message, translated 2 I (information) User information message, translated 3 x (extended data) User extended information message, translated 4 E (error) Debug error message, English only 5 W (warning) Debug warning message, English only 6 I (information), or none Debug information message, English only 7 X (extended data) Debug extended information message, English only 8

The following table lists the locations of the values that control logging levels, which can be modified.

You cannot modify the logging levels of all logs.

Table 2-9 Location of values controlling log levels and when they take effect

Log file Location of controlling log level value Setting change takes effect...

Agent_<system>.log _{DWORD registry value at: HKEY_LOCAL_MACHINE} \SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL

Within one minute.

Core-install.log Cannot change

EpoApSvr.log DWORD registry value at: HKEY_LOCAL_MACHINE \SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL

Within one minute.

Errorlog.<CURRENT

_DATETIME>.log Not applicable. This file is created by the Apacheservice. Eventparser.log _{DWORD registry value at: HKEY_LOCAL_MACHINE}

\SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL

Within one minute.

FrmInst_<system>

.log DWORD registry value at: HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL

At run-time.

Jakarta_Service

_<DATE>.log For more information, see Adjusting the Orion loglevel. Upon startup of ePolicyOrchestrator Application Server service.

Localhost_access

_log.<DATE>.txt For more information, see Adjusting the Orion loglevel. Upon startup of ePolicyOrchestrator Server service.

(14)

Table 2-9 Location of values controlling log levels and when they take effect (continued)

Log file Location of controlling log level value Setting change takes effect...

MCSCRIPT.log Windows platforms: dwDebugScript in HKEY_LOCAL_MACHINE\Software\Network

Associates\TVD\Shared Components\Framework UNIX platforms: DebugScript in /etc/cma.d/<ePO Agent's software ID>/config.xml

Immediately

Orion.log <INSTALL DIR>\SERVER\CONF\ORION \LOG-CONFIG .XML. See “MaxFileSize” parameter value in

“Rolling log file” section. See also Priority Value in <root> section.

Upon startup of ePolicy Orchestrator Application Server service.

PrdMgr_<SYSTEM>.log _{DWORD registry value at: HKEY_LOCAL_MACHINE} \SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL

Within one minute.

Replication.log Cannot change. Within one minute. Server.log DWORD registry value at: HKEY_LOCAL_MACHINE

\SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL

Upon startup of ePolicy Orchestrator Server service.

Stderr.log Cannot change. UpdaterUI_<SYSTEM>

.log DWORD registry value at: HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL

Within one minute.

Agent activity log

The agent activity log (AGENT_<SYSTEM>.XML) contains copies of messages from the AGENT_<SYSTEM> .LOG, including translated messages, of types “e,” “w,” and “i,” (corresponding to logging levels 1 – 3). This file is not intended for debugging, but as information for users not likely to be troubleshooting. Messages of type “x” (logging level 4) can be included in the activity log. For information on setting levels, see Logging levels for debugging.

Information in the activity log also appears in the Agent Monitor.

If you enable remote access to the agent activity log file, you can also view the agent debug log files remotely by clicking View debug log (current or previous) in the header of the Show Agent Log display. For instructions, see Agent Activity Logs and Viewing the agent activity log in the ePolicy Orchestrator

Product Guide or Help.

Adjusting the Orion log level

The orion.log file is created by the ePolicy Orchestrator Application Server. To adjust its logging level, do the following.

Task

1 _{Using a text editor, open the Log-Config.xml file, located at:}

C:\PROGRAMFILES>\McAfee\ePolicyOrchestrator\Server\conf\orion

2

McAfee ePolicy Orchestrator log files Agent activity log

(15)

2 In the following line of text, replace “warn” with “info” or “debug”:

Use debug only when troubleshooting for a short period of time. Setting the priority value to debug causes the old log files to be deleted frequently.

3 Save and close the file.

Tomcat automatically adjusts the log level when the ePolicy Orchestrator Application Server services is restarted.

Troubleshooting policy updates

To troubleshoot incremental policy update issues from the server-side, do the following. Task

1 _{Create the DWORD registry value SAVEAGENTPOLICY = 1 in:}

HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR

2 Restart all ePolicy Orchestrator services.

The ePolicy Orchestrator server creates the file <AGENTGUID>_<TIMESTAMP>_SERVER.XML at <INSTALLATION PATH>\DB\DEBUG, which contains a copy of the content that the server deployed.

Interpreting Windows error codes

To understand Windows error messages, identify the error code and look it up in the MSDN library. Task

1 Locate messages of type e or E in the log file.

2 Identify the time that the problem occurred, if known.

3 Note the Windows error code associated with the problem event.

4 Find the error code in the MSDN library at:

http://msdn2.microsoft.com/en-us/library/ms681381.aspx

For example, when tracking down an error message that includes code 1326, navigate to and click the code in the list of system error codes. The explanation of the code is displayed:

1326 ERROR_LOGON_FAILURE Logon failure: unknown user name or bad password

You can also use the ERRLOOK.EXE utility to determine the cause of these error codes. This utility is distributed with Microsoft Visual Studio.

(16)

2

McAfee ePolicy Orchestrator log files Interpreting Windows error codes

(17)

Index

A

about this guide 5

C

conventions and icons used in this guide 5

D

documentation

audience for this guide 5 product-specific, finding 6

typographical conventions and icons 5

M

McAfee ServicePortal, accessing 6

S

ServicePortal, finding product documentation 6

T

Technical Support, finding product information 6

W

(18)