Advanced debug log options in SymDiag for Endpoint Protection clients

book

Article ID: 158154

calendar_today

Updated On:

Products

Endpoint Protection Endpoint Protection Cloud

Issue/Introduction

Learn how to use advanced options in SymDiag to collect debug logging data from a Symantec Endpoint Protection (SEP) or Symantec Endpoint Protection Cloud (SEPC) clients.

Environment

  • SEP 12.x
  • SEP 14.x
  • SEPC
  • SEB SBE (Small Business Edition)
  • Microsoft Windows

Resolution

This document describes the Symantec Diagnostic (SymDiag) tool’s advanced debug logging settings for Symantec Endpoint Protection. These steps help ensure sufficient, timely, and accurate logs are collected.

  1. Configure and enable debug logs.
    Set log levels and max log file sizes. In most cases use the default settings.
  2. Generate log data.
    Reproduce the issue and allow the logs files to populate.
  3. Collect the logs.
    SymDiag puts the populated logs into an .sdbz file for upload to Symantec.

Allow sufficient time to generate log data after reproducing the issue.

Capturing good data the first time will reduce the need to go back for more. If an issue is easily reproduced, it may not take long to generate logs. An intermittent problem may take more time. For best results and fastest case resolution, make a list of the steps taken to reproduce the issue. These can be added under “Issue” on the customer information page of SymDiag.

Note: See Collect debug logging data for support cases with SymDiag to learn how to run SymDiag in debug logging mode where these options are presented.

Advanced Debug logging

The Advanced Debug logging dialog displays the current Debug Log settings as configured in the registry. Please remember that for SEP CLOUD the advanced options will not be available as a button, however,  you can reproduce the issue and the necessary logs will be generated normally, not being necessary to make any changes.

The advanced options are:

  1. Vpdebug logging
    Vpdebug controls the logging for the Antivirus and Antispyware component of SEP.
  2. SMC debug logging
    SEP client debug logs are useful for troubleshooting client to SEPM communication problems and client functionality problems; this option can also be used for troubleshooting issues with a Group Update Provider (GUP).
  3. Sylink debug logging
    Sylink logs are for troubleshooting, communication problems and definitions update issues.
  4. WPP debug logging
    (WPP) Windows software trace preprocessor is a preprocessor to implement software tracing in Windows drivers and applications. WPP logs are useful when troubleshooting driver level conflicts or problems with the SEP client.

To reach the advanced settings, check “Endpoint Protection Client” in the Debug Logging section and then click “Advanced...”.

 

Vpdebug, SMC debug, and Sylink debug logging

Vpdebug logging, SMC debug logging, and Sylink debug logging are configured in this window. The settings shown here are the default settings. These will be chosen if you check "Endpoint Protection Client" and "Next" without using the 'Advanced...' button.

  • For Vpdebug logging, the LX ALL setting will gather the most information.
  • For SMC debug logging, The 0 (Debug) setting will gather the most information. Default log file size is 50MB. Only change Delta debug level on the advice of a support engineer.
  • For Sylink debug logging, default is the same as 3. Setting 4 is more verbose. Also, only use Sylink_VolatileOpState* settings on the advice of a support engineer.  (Note: In the latest version of SymDiag it is no longer necessary to manually stop and start smc, SymDiag will perform this task)
  • TSE debug logging is enabled by default, but can be disabled.

WPP debug logging

For WPP debug logging, there are two choices, “WPP” and “WPP reboot”.

  • If an issue is easily reproduced, choose “WPP”, configure desired settings, reproduce the issue, allow adequate time to generate log data then choose next to collect log data.

 

  • If an issue occurs at startup, use “WPP reboot” to configure desired settings (default settings are shown here), reproduce the issue, allow adequate time to generate log data then choose next to collect log data.

Currently, no configuration settings are available for this feature.  Maximum file size is set to 50MB.  Once a log reaches this size, however, a new log is created.  This allows for longer issue reproduction times.  The current setting for logging level is 4.

Note: If SymDiag is run with the command-line -sepwpp, the original method for WPP Reboot is avaliable.  The current default method (see above) has significantly improved the depth of WPP logging data collected, so this older, no-longer-default method should only be used in special circumstances.  General settings are Max duration, MaxFileSizeMB, MaxFiles. Duration is the length of time (in milliseconds) that WPP logging will be done. MaxFileSize is the maximum size (in MB) of the log file. MaxFiles is the number of old log files to keep before starting a new log. Only change these settings on the advice of a support engineer.

For SEPC and SEP SBE, additional information can be found within the article "Collect Windows Preprocessor logs for Endpoint Protection Cloud and Endpoint Protection Small Business Edition"

 

Attachments