McAfee ePolicy Orchestrator 4.

5 Log Files Reference Guide

COPYRIGHT Copyright 2009 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies. TRADEMARK ATTRIBUTIONS AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. License Attributions Refer to the product Release Notes.

McAfee ePolicy Orchestrator 4.5 Log Files Reference Guide

Contents
McAfee ePolicy Orchestrator 4.5 Log Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Installer logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Server logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Agent logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Rogue System Detection logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 About log file path variables, file size and backup logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Logging levels for debugging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Adjusting the Tomcat log level. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Troubleshooting policy updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Interpreting Windows error codes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Agent activity log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

McAfee ePolicy Orchestrator 4.5 Log Files Reference Guide

McAfee ePolicy Orchestrator 4.5 Log Files

ePolicy Orchestrator generates a record of its activities and stores the information in many log files. The log files detailed in this guide represent a subset of all ePO log files, with particular attention to those most commonly used when managing and troubleshooting product issues. They are separated into three categories: Installer logs Include details about installation path, user credentials, database used, and communication ports configured. Server logs Include details about server functionality, client event history, and administrator services. Agent logs Include details about agent installation, wake-up calls, updating, and policy enforcement. Rogue System Detection logs Include details about Rogue System Sensor install and uninstall, and Sensor actions. Contents Installer logs Server logs Agent logs Rogue System Detection logs About log file path variables, file size and backup logs Logging levels for debugging Adjusting the Tomcat log level Troubleshooting policy updates Interpreting Windows error codes Agent activity log

Installer logs
Installer log files contain details about the ePolicy Orchestrator installation process including: Actions taken by specific components Administrator services used by the server

McAfee ePolicy Orchestrator 4.5 Log Files Reference Guide

McAfee ePolicy Orchestrator 4.5 Log Files Server logs

Success and failure of critical processes Table 1: Installer logs

Log file name Core-install.log Description Generated during ePolicy Orchestrator installation. This file contains details such as: EPO450-Checkin-Failure.log Creation of server database tables Installation of server components Location %temp%\McAfeeLogs\ EPO450-Troubleshoot\Orion Framework

Generated when the installer fails to check in any of %temp%\McAfeeLogs the following package types: Extensions Plug-ins Deployment packages Agent packages

EPO450-CommonSetup.log

Contains details about ePolicy Orchestrator 4.5 MSI %temp%\McAfeeLogs installer including: CustomAction logging SQL, DTS (Microsoft Data Transformation Services), and service related calls Registering and unregistering DLLs Files and folders marked for deletion at reboot %temp%\McAfeeLogs

EPO450-Install-MSI.log

The primary ePO installation log. This file logs all details about the installation including: Installer actions Installation failures

Licensing.log

Generated when installation of a licensed version of %temp%\McAfeeLogs ePolicy Orchestrator fails. Use this log file to check the details of the license and any issues with the Common License Application. Contains details about the installation of Microsoft SQL 2005 Backward Compatibility. This file is generated only when SQL 2005 Backward Compatibility is optionally installed by the ePO installer. %temp%\McAfeeLogs

SQL2K5bCINST.LOG

Server logs
Server log files contain details on server functionality and various administrator services used by ePolicy Orchestrator 4.5. Table 2: Server logs
Log file name <AgentGuid>_<Timestamp>_Server.xml Description Contains details about policy updating issues. To enable this file, create the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\ NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR. Then, specify the following setting: SAVEAGENTPOLICY(REG_DWORD)=1 Location <InstallDir>\DB\DEBUG

McAfee ePolicy Orchestrator 4.5 Log Files Reference Guide

McAfee ePolicy Orchestrator 4.5 Log Files Server logs

Log file name Dbmigrate.log

Description

Location

Contains details about database %temp%\McAfeeLogs migration generated during an upgrade from an earlier version of the software. Contains details related to repository actions such as: Pull tasks Checking in deployment packagesto the repository Deleting deployment packages from the repository <InstallDir>\DB\Logs

EpoApSvr.log

Errorlog.<CURRENT_DATETIME>

Contains details related to the Apache <InstallDir>\Apache2\logs service. This file is not present until after the Apache service is started for the first time. Contains details about the ePolicy <InstallDir>\DB\Logs Orchestrator event parser services, such as product event parsing success or failure. Contains details about the ePO <InstallDir>\Server\logs Application Server service. This file is not present until after the Tomcat service is started for the first time. Records all requests from client systems <InstallDir>\Server\logs received by the ePO server. This file is not present until after the Tomcat service is started for the first time. Contains details on server functionalities <InstallDir>\Server\logs and all extensions loaded by default. This file is not present until after the ePO Application Server service is started for the first time. The ePO server replication log file. This <InstallDir>\DB\Logs file is generated when all of the following are true: There are distributed repositories. A replication task has been configured. A replication task has run.

Eventparser.log

Jakarta_service_<DATE>.log

Localhost_access_log.<DATE>.txt

Orion.log

Replication.log

Server.log

Contains details related to agent-server <InstallDir>\DB\Logs communications. NOTE: The Siteinfo.ini file is updated when server port numbers are changed. This log file contains details about the version of Siteinfo.ini file and changed port numbers.

Stderr.log

Contains any Standard Error output that <InstallDir>\Server\logs the Tomcat service captures. This file is not present until after the Tomcat service is started the first time.

McAfee ePolicy Orchestrator 4.5 Log Files Reference Guide

McAfee ePolicy Orchestrator 4.5 Log Files Agent logs

Agent logs
Agent log files contain actions triggered or taken by the McAfee Agent. Table 3: Agent logs
Log file name Agent_<system>.log Description Location Generated on client systems when the server deploys <Agent DATA Path>\DB an agent to them. This file contains details related to: FrmInst_<system>.log Agent-to-server communication Policy enforcement Other agent tasks %temp%\McAfeeLogs

Generated when the FrmInst.exe is used to install the McAfee Agent. This file contains: Informational messages. Progress messages. Failure messages if installation fails.

MCScript.log

Contains the results of script commands used during <Agent DATA Path>\DB agent deployment and updating. To enable the DEBUG mode for this log, set the following DWORD value on the clients registry key: HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\TVD\SHARED COMPONENTS\FRAMEWORK\DWDEBUGSCRIPT=2 NOTE: McAfee recommends that you delete this key when you are finished troubleshooting.

MfeAgent.MSI.<DATE>.log PrdMgr_<SYSTEM>.log UpdaterUI_<system>.log

Contains details about the MSI installation of the agent. Contains details about agent communications with other McAfee products.

%temp%\McAfeeLogs <Agent DATA Path>\DB

Contains details of the updates to managed products %temp%\McAfeeLogs on the client system.

Agent error logs When the agent traps errors, they are reported in Agent error logs. Agent error logs are named for their primary log counterpart. For example, when errors occur while performing client tasks, the MCScript_Error.log file is created. Error logs contain only details about errors.

Rogue System Detection logs

Rogue System Detection log files contain details about the installation of and actions performed by the Rogue System Sensor. These logs are located on the system where the sensor is deployed. Table 4: Rogue System Detection logs
Log file name RSDSEN450-Install-MSI.log Description Location Generated on client systems when the server deploys %temp%\McAfeeLogs a Rogue System Sensor to a client system. This file contains details related to the sensor install.

McAfee ePolicy Orchestrator 4.5 Log Files Reference Guide

McAfee ePolicy Orchestrator 4.5 Log Files Rogue System Detection logs

Log file name

Description

Location

RSDSEN450-Uninstall-MSI.log Generated on client systems when the server removes %temp%\McAfeeLogs a Rogue System Sensor from a client system. This file contains details related to sensor uninstall. RSDSensor_out.log Contains details about all actions performed by the sensor. Program Files\McAfee\RSD Sensor

Rogue System Sensor log file configuration The Rogue System Sensor log file (RSDSensor_out.log) can be configured to log specific details. Use the RSSensor_log.cfg to configure the Rogue System RSDSensor_out.log with the following values: DEBUG The most detail available. This setting is useful when very detailed information is necessary for advanced troubleshooting. INFO Provides a high level of detail. This setting is useful when working with product support to resolve specific issues. WARN Provides a moderate level of detail appropriate for most troubleshooting scenarios. ERROR Provides the lowest level of logging. Use the following table to set log properties to output the details you need. Table 5: RSSensor_log.cfg properties and values
Property log4cplus.rootLogger log4cplus.logger. RSDSensor.NetListner log4cplus.logger. RSDSensor.Resolver log4cplus.appender. SENSORLOG.File Description Default value This is the root logger. All loggers that do not have WARN a specifically assigned value use the value set here. This is the logger for network traffic visible to the sensor. This is the logger for the host resolver which the sensor uses to determine operating system information. This value defines the name of the log file. WARN WARN

$(SENSOR_DIR)\RSDSensor_out.log NOTE: This value should not be modified.

log4cplus.appender. SENSORLOG.MaxFileSize

This value defines the size of the log file. When the 5MB log reaches the specified size limit a new file is created that is appended with a numeric value. For example, RSDSensor_out.log.1. Numbers are appended chronologically, where the highest number denotes the oldest log. When the maximum number of logs is reached, the oldest is deleted. 5

log4cplus.appender.SENSORLOG. This value specifies how many log files should be MaxBackupIndex retained.

McAfee ePolicy Orchestrator 4.5 Log Files Reference Guide

McAfee ePolicy Orchestrator 4.5 Log Files About log file path variables, file size and backup logs

About log file path variables, file size and backup logs
The locations of log files depend on how and where ePolicy Orchestrator and the agent is installed in your environment. The following table defines the path variables used to describe log file locations in this document. Table 6: Path variables
Variable <Agent DATA Path> Description To determine the actual location of the agent data files, view this registry key HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\TVD\SHARED COMPONENTS\FRAMEWORK\DATA PATH. For more information, see Agent installation directory in the ePolicy Orchestrator 4.5 Product Guide or Help. This is the Temp folder of the currently logged on user. To access this folder, select Start | Run, then type %temp% in the Open text box, and click OK. The default location of the ePolicy Orchestrator 4.5 server software is C:\PROGRAM FILES\MCAFEE\EPOLICY ORCHESTRATOR

%temp%

<InstallDir>

Log file size and BACKUP logs When a log file reaches it maximum size, BACKUP is added before the file name extension and a new log file is created. For example, when Agent_<SYSTEM>.log reaches it maximum size, it is renamed Agent_<SYSTEM>_BACKUP.log. If a BACKUP log already exists, it is overwritten. Depending on how recently the BACKUP was created, it might contain current entries. Examine both log files to to make sure you view all current entries. The default log size is 1 MB. To change the size, create the DWORD value LOGSIZE in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR, then set the value data to the size desired. For example, 20=20MB.

Logging levels for debugging

This section provides information about setting the logging levels for logs in general. For information about adjusting the logging of the Tomcat servlet container, see Adjusting the Tomcat log level. The scope and depth of the information in most log files are determined by the log level, a value ranging from 1 to 8. Messages logged at each level include all messages at the current level and all lower logging levels. The default value (7) is generally considered adequate for ordinary debugging. Log level 8 produces output, including every SQL query, whether or not there is an error. Log level 8 also provides communication details for troubleshooting network and proxy server issues.

McAfee ePolicy Orchestrator 4.5 Log Files Reference Guide

McAfee ePolicy Orchestrator 4.5 Log Files Logging levels for debugging

The following table describes each message type and logging level. Table 7: Messages reported at each log level
Message type Description Logging level 1 2 3 4 5 6 7 8

e (error) w (warning) I (information) x (extended data) E (error) W (warning) I (information), or none X (extended data)

User error message, translated User warning message, translated User information message, translated User extended information message, translated Debug error message, English only Debug warning message, English only Debug information message, English only Debug extended information message, English only

The following table lists the locations of the values that control logging levels, which can be modified. NOTE: You cannot modify the logging levels of all logs. Table 8: Location of values controlling log levels and when they take effect
Log file Location of controlling log level value Setting change takes effect...

Agent_<system>.log

DWORD registry value at: Within one minute. HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL Cannot change DWORD registry value at: Within one minute. HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL Debug Output value at: %temp%\MCAFEELOGS\EPO450-DEBUG.INI Immediately upon saving changes. Immediately upon saving changes.

Core-install.log EpoApSvr.log

EPO450-CommonSetup.log

EPO450-Install-MSI.log

Debug Output value at: %temp%\MCAFEELOGS\EPO450-DEBUG.INI

Errorlog.<CURRENT_DATETIME>.log Not applicable. This file is created by the Apache service. Eventparser.log DWORD registry value at: Within one minute. HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL DWORD registry value at: At run-time. HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL

FrmInst_<system>.log

Jakarta_Service_<DATE>.log For more information, see "Adjusting the Tomcat log Upon startup of McAfee ePolicy level." Orchestrator 4.5.0 Application Server service. Licensing.log Cannot change.

Localhost_access_log.<DATE>.txt For more information, see "Adjusting the Tomcat log Upon startup of McAfee ePolicy level." Orchestrator 4.5.0 Application Server service.

10

McAfee ePolicy Orchestrator 4.5 Log Files Reference Guide

McAfee ePolicy Orchestrator 4.5 Log Files Adjusting the Tomcat log level

Log file

Location of controlling log level value

Setting change takes effect... Immediately

MCSCRIPT.log

Windows platforms: dwDebugScript in HKEY_LOCAL_MACHINE\Software\Network Associates\TVD\Shared Components\Framework UNIX platforms: DebugScript in /etc/cma.d/<ePO Agent's software ID>/config.xml

Orion.log

<INSTALL DIR>\SERVER\CONF\ORION \LOG-CONFIG.XML. See MaxFileSize parameter value in Rolling log file section. See also Priority Value in <root> section.

Upon startup of McAfee ePolicy Orchestrator 4.5.0 Application Server service.

PrdMgr_<SYSTEM>.log

DWORD registry value at: Within one minute. HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL Cannot change. Within one minute.

Replication.log Server.log

DWORD registry value at: Upon startup of McAfee ePolicy HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK Orchestrator 4.5.0 Server ASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL service. Cannot change. Cannot change. DWORD registry value at: Within one minute. HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL

SQL2K5bCINST.log Stderr.log UpdaterUI_<SYSTEM>.log

Adjusting the Tomcat log level

The file name of the Tomcat log is ORION.LOG. The Tomcat log is created by the McAfee ePolicy Orchestrator 4.5.0 Application Server. To adjust its logging level, do the following. Task 1 2 3 Using a text editor, open the Log-Config.xml file, located at:
C:\PROGRAMFILES>\McAfee\ePolicyOrchestrator\Server\conf\orion

In the following line of text, replace warn with info or debug:

<root><priority value ="warn"/><appender-ref ref="ROLLING" /><appender-ref ref="STDOUT/></root>

Save and close the file. Tomcat automatically adjusts the log level when the McAfee ePolicy Orchestrator 4.5.0 Application Server services is restarted.

Troubleshooting policy updates

To troubleshoot incremental policy update issues from the server-side, do the following.

McAfee ePolicy Orchestrator 4.5 Log Files Reference Guide

11

McAfee ePolicy Orchestrator 4.5 Log Files Interpreting Windows error codes

Task 1 2 Create the DWORD registry value SAVEAGENTPOLICY = 1 in:

HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR

Restart all ePolicy Orchestrator services. The ePolicy Orchestrator server creates the file <AGENTGUID>_<TIMESTAMP>_SERVER.XML at <INSTALLATION PATH>\DB\DEBUG, which contains a copy of the content that the server deployed.

Interpreting Windows error codes

To understand Windows error messages, identify the error code and look it up in the MSDN library. 1 2 3 4 Locate messages of type e or E in the log file. Identify the time that the problem occurred, if known. Note the Windows error code associated with the problem event. Find the error code in the MSDN library at: http://msdn2.microsoft.com/en-us/library/ms681381.aspx For example, when tracking down an error message that includes code 1326, navigate to and click the code in the list of system error codes. The explanation of the code is displayed:
1326 ERROR_LOGON_FAILURE Logon failure: unknown user name or bad password

NOTE: You can also use the ERRLOOK.EXE utility to determine the cause of these error codes. This utility is distributed with Microsoft Visual Studio.

Agent activity log

The agent activity log (AGENT_<SYSTEM>.XML) contains copies of messages from the AGENT_<SYSTEM>.LOG, including translated messages, of types e, w, and i, (corresponding to logging levels 1 3). This file is not intended for debugging, but as information for users not likely to be troubleshooting. Messages of type x (logging level 4) can be included in the activity log. For information on setting levels, see Logging levels for debugging. Information in the activity log also appears in the Agent Monitor. If you enable remote access to the agent activity log file, you can also view the agent debug log files remotely by clicking View debug log (current or previous) in the header of the Show Agent Log display. For instructions, see Agent Activity Logs and Viewing the agent activity log in the ePolicy Orchestrator 4.5 Product Guide or Help.

12

McAfee ePolicy Orchestrator 4.5 Log Files Reference Guide