Professional Documents
Culture Documents
COPYRIGHT Copyright 2009 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies. TRADEMARK ATTRIBUTIONS AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. License Attributions Refer to the product Release Notes.
Contents
McAfee ePolicy Orchestrator 4.5 Log Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Installer logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Server logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Agent logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Rogue System Detection logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 About log file path variables, file size and backup logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Logging levels for debugging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Adjusting the Tomcat log level. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Troubleshooting policy updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Interpreting Windows error codes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Agent activity log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Installer logs
Installer log files contain details about the ePolicy Orchestrator installation process including: Actions taken by specific components Administrator services used by the server
Generated when the installer fails to check in any of %temp%\McAfeeLogs the following package types: Extensions Plug-ins Deployment packages Agent packages
EPO450-CommonSetup.log
Contains details about ePolicy Orchestrator 4.5 MSI %temp%\McAfeeLogs installer including: CustomAction logging SQL, DTS (Microsoft Data Transformation Services), and service related calls Registering and unregistering DLLs Files and folders marked for deletion at reboot %temp%\McAfeeLogs
EPO450-Install-MSI.log
The primary ePO installation log. This file logs all details about the installation including: Installer actions Installation failures
Licensing.log
Generated when installation of a licensed version of %temp%\McAfeeLogs ePolicy Orchestrator fails. Use this log file to check the details of the license and any issues with the Common License Application. Contains details about the installation of Microsoft SQL 2005 Backward Compatibility. This file is generated only when SQL 2005 Backward Compatibility is optionally installed by the ePO installer. %temp%\McAfeeLogs
SQL2K5bCINST.LOG
Server logs
Server log files contain details on server functionality and various administrator services used by ePolicy Orchestrator 4.5. Table 2: Server logs
Log file name <AgentGuid>_<Timestamp>_Server.xml Description Contains details about policy updating issues. To enable this file, create the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\ NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR. Then, specify the following setting: SAVEAGENTPOLICY(REG_DWORD)=1 Location <InstallDir>\DB\DEBUG
Description
Location
Contains details about database %temp%\McAfeeLogs migration generated during an upgrade from an earlier version of the software. Contains details related to repository actions such as: Pull tasks Checking in deployment packagesto the repository Deleting deployment packages from the repository <InstallDir>\DB\Logs
EpoApSvr.log
Errorlog.<CURRENT_DATETIME>
Contains details related to the Apache <InstallDir>\Apache2\logs service. This file is not present until after the Apache service is started for the first time. Contains details about the ePolicy <InstallDir>\DB\Logs Orchestrator event parser services, such as product event parsing success or failure. Contains details about the ePO <InstallDir>\Server\logs Application Server service. This file is not present until after the Tomcat service is started for the first time. Records all requests from client systems <InstallDir>\Server\logs received by the ePO server. This file is not present until after the Tomcat service is started for the first time. Contains details on server functionalities <InstallDir>\Server\logs and all extensions loaded by default. This file is not present until after the ePO Application Server service is started for the first time. The ePO server replication log file. This <InstallDir>\DB\Logs file is generated when all of the following are true: There are distributed repositories. A replication task has been configured. A replication task has run.
Eventparser.log
Jakarta_service_<DATE>.log
Localhost_access_log.<DATE>.txt
Orion.log
Replication.log
Server.log
Contains details related to agent-server <InstallDir>\DB\Logs communications. NOTE: The Siteinfo.ini file is updated when server port numbers are changed. This log file contains details about the version of Siteinfo.ini file and changed port numbers.
Stderr.log
Contains any Standard Error output that <InstallDir>\Server\logs the Tomcat service captures. This file is not present until after the Tomcat service is started the first time.
Agent logs
Agent log files contain actions triggered or taken by the McAfee Agent. Table 3: Agent logs
Log file name Agent_<system>.log Description Location Generated on client systems when the server deploys <Agent DATA Path>\DB an agent to them. This file contains details related to: FrmInst_<system>.log Agent-to-server communication Policy enforcement Other agent tasks %temp%\McAfeeLogs
Generated when the FrmInst.exe is used to install the McAfee Agent. This file contains: Informational messages. Progress messages. Failure messages if installation fails.
MCScript.log
Contains the results of script commands used during <Agent DATA Path>\DB agent deployment and updating. To enable the DEBUG mode for this log, set the following DWORD value on the clients registry key: HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\TVD\SHARED COMPONENTS\FRAMEWORK\DWDEBUGSCRIPT=2 NOTE: McAfee recommends that you delete this key when you are finished troubleshooting.
Contains details about the MSI installation of the agent. Contains details about agent communications with other McAfee products.
Contains details of the updates to managed products %temp%\McAfeeLogs on the client system.
Agent error logs When the agent traps errors, they are reported in Agent error logs. Agent error logs are named for their primary log counterpart. For example, when errors occur while performing client tasks, the MCScript_Error.log file is created. Error logs contain only details about errors.
McAfee ePolicy Orchestrator 4.5 Log Files Rogue System Detection logs
Description
Location
RSDSEN450-Uninstall-MSI.log Generated on client systems when the server removes %temp%\McAfeeLogs a Rogue System Sensor from a client system. This file contains details related to sensor uninstall. RSDSensor_out.log Contains details about all actions performed by the sensor. Program Files\McAfee\RSD Sensor
Rogue System Sensor log file configuration The Rogue System Sensor log file (RSDSensor_out.log) can be configured to log specific details. Use the RSSensor_log.cfg to configure the Rogue System RSDSensor_out.log with the following values: DEBUG The most detail available. This setting is useful when very detailed information is necessary for advanced troubleshooting. INFO Provides a high level of detail. This setting is useful when working with product support to resolve specific issues. WARN Provides a moderate level of detail appropriate for most troubleshooting scenarios. ERROR Provides the lowest level of logging. Use the following table to set log properties to output the details you need. Table 5: RSSensor_log.cfg properties and values
Property log4cplus.rootLogger log4cplus.logger. RSDSensor.NetListner log4cplus.logger. RSDSensor.Resolver log4cplus.appender. SENSORLOG.File Description Default value This is the root logger. All loggers that do not have WARN a specifically assigned value use the value set here. This is the logger for network traffic visible to the sensor. This is the logger for the host resolver which the sensor uses to determine operating system information. This value defines the name of the log file. WARN WARN
log4cplus.appender. SENSORLOG.MaxFileSize
This value defines the size of the log file. When the 5MB log reaches the specified size limit a new file is created that is appended with a numeric value. For example, RSDSensor_out.log.1. Numbers are appended chronologically, where the highest number denotes the oldest log. When the maximum number of logs is reached, the oldest is deleted. 5
log4cplus.appender.SENSORLOG. This value specifies how many log files should be MaxBackupIndex retained.
McAfee ePolicy Orchestrator 4.5 Log Files About log file path variables, file size and backup logs
About log file path variables, file size and backup logs
The locations of log files depend on how and where ePolicy Orchestrator and the agent is installed in your environment. The following table defines the path variables used to describe log file locations in this document. Table 6: Path variables
Variable <Agent DATA Path> Description To determine the actual location of the agent data files, view this registry key HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\TVD\SHARED COMPONENTS\FRAMEWORK\DATA PATH. For more information, see Agent installation directory in the ePolicy Orchestrator 4.5 Product Guide or Help. This is the Temp folder of the currently logged on user. To access this folder, select Start | Run, then type %temp% in the Open text box, and click OK. The default location of the ePolicy Orchestrator 4.5 server software is C:\PROGRAM FILES\MCAFEE\EPOLICY ORCHESTRATOR
%temp%
<InstallDir>
Log file size and BACKUP logs When a log file reaches it maximum size, BACKUP is added before the file name extension and a new log file is created. For example, when Agent_<SYSTEM>.log reaches it maximum size, it is renamed Agent_<SYSTEM>_BACKUP.log. If a BACKUP log already exists, it is overwritten. Depending on how recently the BACKUP was created, it might contain current entries. Examine both log files to to make sure you view all current entries. The default log size is 1 MB. To change the size, create the DWORD value LOGSIZE in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR, then set the value data to the size desired. For example, 20=20MB.
McAfee ePolicy Orchestrator 4.5 Log Files Logging levels for debugging
The following table describes each message type and logging level. Table 7: Messages reported at each log level
Message type Description Logging level 1 2 3 4 5 6 7 8
e (error) w (warning) I (information) x (extended data) E (error) W (warning) I (information), or none X (extended data)
User error message, translated User warning message, translated User information message, translated User extended information message, translated Debug error message, English only Debug warning message, English only Debug information message, English only Debug extended information message, English only
The following table lists the locations of the values that control logging levels, which can be modified. NOTE: You cannot modify the logging levels of all logs. Table 8: Location of values controlling log levels and when they take effect
Log file Location of controlling log level value Setting change takes effect...
Agent_<system>.log
DWORD registry value at: Within one minute. HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL Cannot change DWORD registry value at: Within one minute. HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL Debug Output value at: %temp%\MCAFEELOGS\EPO450-DEBUG.INI Immediately upon saving changes. Immediately upon saving changes.
Core-install.log EpoApSvr.log
EPO450-CommonSetup.log
EPO450-Install-MSI.log
Errorlog.<CURRENT_DATETIME>.log Not applicable. This file is created by the Apache service. Eventparser.log DWORD registry value at: Within one minute. HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL DWORD registry value at: At run-time. HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL
FrmInst_<system>.log
Jakarta_Service_<DATE>.log For more information, see "Adjusting the Tomcat log Upon startup of McAfee ePolicy level." Orchestrator 4.5.0 Application Server service. Licensing.log Cannot change.
Localhost_access_log.<DATE>.txt For more information, see "Adjusting the Tomcat log Upon startup of McAfee ePolicy level." Orchestrator 4.5.0 Application Server service.
10
McAfee ePolicy Orchestrator 4.5 Log Files Adjusting the Tomcat log level
Log file
MCSCRIPT.log
Windows platforms: dwDebugScript in HKEY_LOCAL_MACHINE\Software\Network Associates\TVD\Shared Components\Framework UNIX platforms: DebugScript in /etc/cma.d/<ePO Agent's software ID>/config.xml
Orion.log
<INSTALL DIR>\SERVER\CONF\ORION \LOG-CONFIG.XML. See MaxFileSize parameter value in Rolling log file section. See also Priority Value in <root> section.
PrdMgr_<SYSTEM>.log
DWORD registry value at: Within one minute. HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL Cannot change. Within one minute.
Replication.log Server.log
DWORD registry value at: Upon startup of McAfee ePolicy HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK Orchestrator 4.5.0 Server ASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL service. Cannot change. Cannot change. DWORD registry value at: Within one minute. HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL
Save and close the file. Tomcat automatically adjusts the log level when the McAfee ePolicy Orchestrator 4.5.0 Application Server services is restarted.
11
McAfee ePolicy Orchestrator 4.5 Log Files Interpreting Windows error codes
Restart all ePolicy Orchestrator services. The ePolicy Orchestrator server creates the file <AGENTGUID>_<TIMESTAMP>_SERVER.XML at <INSTALLATION PATH>\DB\DEBUG, which contains a copy of the content that the server deployed.
NOTE: You can also use the ERRLOOK.EXE utility to determine the cause of these error codes. This utility is distributed with Microsoft Visual Studio.
12