search cancel

How to enable extended debugging on an Critical Systems Protection (SCSP) agent for troubleshooting purposes

book

Article ID: 151827

calendar_today

Updated On:

Products

Critical System Protection

Issue/Introduction

The issue being experienced is not generating enough information in the logs or are not extensive enough to find root cause and you want to enable debugging in the SCSP agent to see more information for the IPS and or IDS modules.

Resolution

Depending on the situation you may need to have more extensive IDS and or IPS logging.

  • In either or both cases the first step is to stop the SCSP agent services on machine to make the necessary changes.


To enable IDS debugging:

Locate the file called scspagent/IDS/system/LocalAgent.ini and open it with an text editor

Windows default:
C:\Program Files\Symantec\Critical System Protection\Agent\IDS\system\LocalAgent.ini 

Unix default:
/opt/Symantec/scspagent/IDS/system/LocalAgent.ini


Enable the additional logging in the "Log Debugs" section of the file by removing "#" from the start of the line and changing the values at the end of the line from "=0" to "=1".  Depending upon need you may enable just the lines that you are concerned with.

For example to enable full IDS debugging the "Log Debugs" section would be the following:

[Log Debugs]
Event Log Collector=1
Registry Collector=1
Filewatch Collector=1
Audit Collector=1
Syslog Collector=1
Process Event Module=1
Policy Config Module=1
Main Module=1
Utils Module=1
Wtmp Collector=1
Btmp Collector=1
C2 Log Collector=1
IPS Driver Collector=1

 

To enable IPS debugging:

IPS debugging is set by using the sisipsconfig utility.

The agent config tool is located in the following directories on an agent
computer:

 On Windows, sisipsconfig.exe is located in the agent\ips\bin directory.
 On UNIX-based operating systems, the sisipsconfig tool is named sisipsconfig.sh. It is located in the agent/ips directory.

Once you have located the proper path enable the additional debugging by executing sisipsconfig with the "-trace" switch

Windows:  sisipsconfig.exe -trace
Unix:  sisipsconfig.sh -trace

Once you have enabled the desired debugging start the  SCSP agent services to utilize the new settings.


Warning:

Remember when you are done to reverse this process to prevent any over logging and space issues due to the extended logging.   However in most cases customers have ran this consistently for months with no issues and is dependent on the resources at play in your environment.


Engaging Support:

If you are either working with support or proactively gathering data to open a case, you will want to reproduce the issue up to three times on interactive processes if possible to create a pattern.  In some cases such as services you will need to run until the issue presents itself.

Once the issue has been logged, gather the data with a getagent report. Below is a Knowledge Base article showing multiple methods to gather the data

How to collect information from Symantec Critical System Protection (SCSP) Agents.
Article URL http://www.symantec.com/docs/TECH116519