This document describes the Symantec Diagnostic (SymDiag) tool’s advanced debug logging settings for Symantec Endpoint Protection. These steps help ensure sufficient, timely, and accurate logs are collected.

1. Configure and enable debug logs.
   Set log levels and max log file sizes. In most cases use the default settings.
2. Generate log data.
   Reproduce the issue and allow the logs files to populate.
3. Collect the logs.
   SymDiag puts the populated logs into an .sdbz file for upload to Symantec.

Allow sufficient time to generate log data after reproducing the issue.

Capturing good data the first time will reduce the need to go back for more. If an issue is easily reproduced, it may not take long to generate logs. An intermittent problem may take more time. For best results and fastest case resolution, make a list of the steps taken to reproduce the issue. These can be added under “Issue” on the customer information page of SymDiag.

Note: See How to collect full agent and system logs for technical support using the Symantec Diagnostic Tool (SymDiag) to learn how to run SymDiag in debug logging mode where these options are presented.

Advanced Debug logging

The Advanced Debug logging dialog displays the current Debug Log settings as configured in the registry. Please remember that for SEP CLOUD the advanced options will not be available as a button, however,  you can reproduce the issue and the necessary logs will be generated normally, not being necessary to make any changes.

The advanced options are:

1. Vpdebug logging
   Vpdebug controls the logging for the Antivirus and Antispyware component of SEP. It contains details of SEP "Scheduled" and "Manual" scans, not real-time Auto-Protect scans.
2. SMC debug logging
   SEP client debug logs are useful for troubleshooting client to SEPM communication problems and client functionality problems; this option can also be used for troubleshooting issues with a Group Update Provider (GUP).
3. Sylink debug logging
   Sylink logs are for troubleshooting, communication problems and definitions update issues.
4. WPP debug logging
   (WPP) Windows software trace preprocessor is a preprocessor to implement software tracing in Windows drivers and applications. WPP logs are useful when troubleshooting driver level conflicts or problems with the SEP client.

To reach the advanced settings, check “Endpoint Protection Client” in the Debug Logging section and then click “Advanced...”.

Vpdebug, SMC debug, and Sylink debug logging

Vpdebug logging, SMC debug logging, and Sylink debug logging are configured in this window. The settings shown here are the default settings. These will be chosen if you check "Endpoint Protection Client" and "Next" without using the 'Advanced...' button.

• For Vpdebug logging, the "L X ALL" setting will gather the most information.
• For SMC debug logging, The "0 (Debug)" setting will gather the most information. Default log file size is 50MB. Only change Delta debug level on the advice of a support engineer.
• For Sylink debug logging, default is the same as 3. Setting 4 is more verbose. Also, only use Sylink_VolatileOpState* settings on the advice of a support engineer.  (Note: In the latest version of SymDiag it is no longer necessary to manually stop and start smc, SymDiag will perform this task)
• TSE debug logging is enabled by default, but can be disabled.

WPP debug logging

For WPP debug logging, there are two choices, “WPP” and “WPP reboot”.

• If an issue is easily reproduced, choose “WPP”, configure desired settings, reproduce the issue, allow adequate time to generate log data then choose next to collect log data.

• If an issue occurs at startup, use “WPP reboot” to configure desired settings (default settings are shown here), reproduce the issue, allow adequate time to generate log data then choose next to collect log data.

Currently, no configuration settings are available for this feature. Default file size is set to 500 MB, if the Total Drive Space is 500 MB or less it will use circular logging.  Otherwise it will create multiple files that are 500 MB with the value controlling how much drive space the files can use. It will prune older .etl files once the total size of the .etl files is greater than Total Drive Space.  As an example, if Total Drive space is 5000 MB, then it will allow 10 different 500MB .etl files to be created, it will then start deleting the earliest created files, but it will always have the last 10 .etl files that were created. The current setting for logging level is 4.

Note: If SymDiag is run with the command-line -sepwpp, the original method for WPP Reboot is available.  The current default method (see above) has significantly improved the depth of WPP logging data collected, so this older, no-longer-default method should only be used in special circumstances.  General settings are Max duration, MaxFileSizeMB, MaxFiles. Duration is the length of time (in milliseconds) that WPP logging will be done. MaxFileSize is the maximum size (in MB) of the log file. MaxFiles is the number of old log files to keep before starting a new log. Only change these settings on the advice of a support engineer.

For SEPC and SEP SBE, additional information can be found within the article "Collect Windows Preprocessor logs for Endpoint Protection Cloud and Endpoint Protection Small Business Edition"