Enabling Logging and Debug Logging in Endpoint Encryption 11

book

Article ID: 161042

calendar_today

Updated On:

Products

Endpoint Encryption

Issue/Introduction

Introduction

This article provides details about:

  • Installing Endpoint Encryption Client with Verbose/Debug logging enabled.
  • Endpoint Encryption Management Server logs, Drive Encryption logs, Symantec Endpoint Encryption for Bitlocker logs, and Removable Media Encryption logs.
  • The procedure to enable logging for the various Endpoint Encryption components.
  • The procedure to enable debug logs for Drive Encryption, Endpoint Encryption for Bitlocker, and Removable Media Encryption.
  • About the Symantec Endpoint Encryption for FileVault logs

Windows Event Logs for Drive Encryption, Symantec Endpoint Encryption for Bitlocker, and Removable Media Encryption are enabled by default. You do not need to create a registry key to enable event logs. Event logs are always logged with an appropriate severity. Event logs reside on the local client computer. You can view these event logs through the Windows Event Viewer. For example, you can view the Removable Media Encryption event logs to determine whether a file was encrypted so that the user's data was not disclosed.

For more information on Drive Encryption event logs, see the knowledge base article Drive Encryption Windows Event Log IDs.

For more information on Symantec Endpoint Encryption for Bitlocker event logs, see the knowledge base article Symantec Endpoint Encryption for Bitlocker - Windows Event Log IDs.

 

TIP: If Symantec Endpoint Encryption application is crashing, see this helpful MSFT article for information on how to enable the application crash dumps and provide to Symantec Enterprise Support.

Environment

Endpoint Encryption 11.0 and above.

Resolution

Windows Verbose/Debug Installation of Endpoint Encryption Client

It is always recommended to install Endpoint Encryption with verbose MSI options enabled as this information is useful in diagnosing many scenarios in troubleshooting. To install Endpoint Encryption, run the following command with proper administrative permissions from the command line:
msiexec /i "SEE Client_x64.msi" /l*vx "%TMP%\SEE Client_x64.log"

For instances where troubleshooting will require SEE client debugging, the following command will install the Endpoint Encryption client and automatically enable debug logging in the client. This is not always necessary, but is useful when it is required to also capture the SEE client debug logs:
msiexec /i "SEE Client_x64.msi" /l*vx "%TMP%\SEE Client_x64.log" MALOGLEVEL=DEBUG

Starting with Symantec Endpoint Encryption 11.2.0, the verbose install log will be created automatically and can be found in the %TMP% folder of a machine. The filename will consist of a randomly-named file in the format MSIxxxxx.LOG. Open this file and search for "Symantec Endpoint Encryption" to validate you have found the correct file.


Pending Reboot Detection
It is recommended that systems be rebooted just prior to the install/upgrade of Symantec Endpoint Encryption 11 to ensure the best success as pending reboots can cause the install/upgrade process to fail.

Starting with Symantec Endpoint Encryption 11.2.1, this reboot check is handled automatically. If a pending reboot is present, the SEE client install will halt, and the MSIEXEC error code will list the reason as being "1602 - The user cancels installation" in order to differentiate between general install failures, and install fails due to pending reboot. A pending reboot check will halt the install for the following three reasons:

*Reboot pending after Windows updates.
*Reboot pending due to SEE Installs
*Reboot pending due to other third-party installs

In order to force installing the SEE client even though there could be pending reboots, the following optional MSIEXEC parameter would need to be used. This feature works only on SEE 11.2.1 and above and is not recommended by Symantec:
PRE_INSTALL_REBOOT_CHECK=NO

Symantec Endpoint Encryption 11.2.0 included an optional MSIEXEC parameter, which can be added to the install string, which will halt the install if a system is pending a reboot. To add this check, add the following to the MSIEXEC command:
PRE_INSTALL_REBOOT_CHECK=YES

Adding the above will halt the install if a system must first be rebooted due to a previous installation such as a Windows update, or other third-party install that requires a reboot. It is always best to reboot a system to clear out this pending state for best success during an upgrade.

 

Endpoint Encryption Management Server logs

Logging for Client-Server Communication

To enable logging on the SEE Management Server:

  1. Backup the registry.
  2. Open the registry and navigate to this container:
    HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Endpoint Encryption\Trace\TraceSinks\FileSink
  3. Create the following registry key:
    Symantec.Endpoint.Encryption.GECommunicationWS
  4. Navigate to:
    HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Endpoint Encryption\Trace\TraceSinks\FileSink\Symantec.Endpoint.Encryption.GECommunicationWS
  5. Create this DWORD entry:
    LogLevel
  6. Give LogLevel one of the following values:
  • 0 - Disables logging.
  • 1 - Log Errors.
  • 2 - Log Errors and enable Trace level logging.

By default, the log files are created in:
"%ProgramFiles(x86)%\Symantec\Symantec Endpoint Encryption Management Server\Services\Logs"

A new log file is created each day and the naming format is gecws_MM_DD_YYYY.log or gecws_DD_MM_YYYY.log depending on the Management Server regional settings.

IMPORTANT: Write permission to the log directory must be given to the User/Identity that is running the "SymantecEndpointEncryptionAppPool" application pool in IIS
(The Identity can be found by opening the IIS Manager > Expand Server Name > Application Pools > Identity Column for SymantecEndpointEncryptionAppPool)

If LogLevel is set to 1 only a single line is output to the log file for each client check-in unless there is an error. The single line does not include computer name. For example:
<--- Request end 16:30:25 GrpID=4, PlcyGrpID =4, PlcyID =4, PlcyStatus=PS_NO_CHANGE; Requested policies :FrRs <SUCCESS> {Log status: logging is enabled log level = LOG_ERR }

If LogLevel is set to 2, each successful check-in by a machine will generate over 20 lines of log entries. The first line will contain information such as the computer name and domain name. For example:
*** Trace ---> Request begin 16:53:35; CompID = {201E8B4C-6C2C-425E-9D6D-2C65743E8A55}, CompName = COMPUTER001, DnsdDomainName = example.com, geGuid = {201E8B4C-6C2C-425E-9D6D-2C65743E8A55}, adGuid = {ac0cb4cb-57e6-4fe1-9fcd-aa8e6bd29c74}, edGuid = null, os = 2

 

Logging for Help Desk Web Console .NET application

Helpful for Troubleshooting server side functions related to the Help Desk Web Console

To enable logging, please edit the "Log4Net.config" file generally located by default at "%ProgramFiles(x86)%\Symantec\Symantec Endpoint Encryption Management Server\CommunicationWS\WebConsole\Log4Net.config".

You should find a value that looks the same as below:

The "OFF" value can be changed to the logging level desired. Choices are:

  • OFF
  • FATAL
  • ERROR
  • WARN
  • INFO
  • DEBUG
  • ALL

By default, logs will be generated in the following location: "%ProgramFiles(x86)%\Symantec\Symantec Endpoint Encryption Management Server\CommunicationWS\WebConsole\logs\webapp.log".

Logging for other Management Server functions (not communication related)

You need to edit the global setting in the registry that contains the flag to enable or disable logging for the following components.

  • Endpoint Encryption Configuration Manager logs
  • Active Directory Synchronization Service logs
  • Novell Synchronization Service logs
  • Endpoint Encryption Users and Computers snap-in
  • Endpoint Encryption Reports snap-in
  • Endpoint Encryption Server Commands snap-in

These global settings are located at the following location in the registry hive:
HKEY_LOCAL_MACHINE\Software\Symantec\Endpoint Encryption\Trace\TraceSinks\FileSink\

You need to set application-specific settings individually, in addition to the current global settings. It contains the following values:

  • tracedisabled - This property specifies whether trace is disabled.
    Value = 1, specifies that trace is disabled
    Value = 0, specifies that trace is enabled
  • tracelevel - This specifies the trace level to be logged to file. Below are the distinct values it can contain and meaning of each numeric value:
    0 - Debug
    1 - Info
    2 - Warning
    3 - Error
    4 - Exception
  • BaseDirectory - This specifies the log directory. If this setting is not available, then it logs to the application root directory. If you want to log at a specific location, you have to add this property manually. For example, any valid file system path, such as C:\Logs

Following is the list of applications and their respective registry hive, which contain the tracedisabled, tracelevel, and BaseDirectory properties:

  • Endpoint Encryption Management Server Configuration Manager
    HKEY_LOCAL_MACHINE\Software\Symantec\Endpoint Encryption\Trace\TraceSinks\FileSink\Symantec.Endpoint.Encryption.ConfigManager
  • Active Directory Synchronization Service
    HKEY_LOCAL_MACHINE\Software\Symantec\Endpoint Encryption\Trace\TraceSinks\FileSink\Symantec.Endpoint.Encryption.ADSync
  • Novell Synchronization Service
    HKEY_LOCAL_MACHINE\Software\Symantec\Endpoint Encryption\Trace\TraceSinks\FileSink\Symantec.Endpoint.Encryption.NovellSync
  • Endpoint Encryption Users and Computers snap-in
    HKEY_LOCAL_MACHINE\Software\Symantec\Endpoint Encryption\Trace\TraceSinks\FileSink\GEMSGroupMagmtSnapIn
  • Endpoint Encryption Reports snap-in
    HKEY_LOCAL_MACHINE\Software\Symantec\Endpoint Encryption\Trace\TraceSinks\FileSink\GEMSReportsSnapIn
  • Endpoint Encryption Server Commands snap-in
    HKEY_LOCAL_MACHINE\Software\Symantec\Endpoint Encryption\Trace\TraceSinks\FileSink\ServerCmdsSnapIn

Drive Encryption and Management Agent client logs

The Endpoint Encryption for Windows installer creates a registry key for managing the Drive Encryption logs by default. This registry key is created at the following location in the registry hive:
HKLM\Software\Encryption Anywhere\Framework\LoggerConfig

Drive Encryption has the following log levels:
LogLevel = Error
LogLevel = Warning
LogLevel = Audit
LogLevel = Info
LogLevel = Verbose
LogLevel = Debug
LogLevel = Off

By default, the Drive Encryption and Management Agent logs value is set to Warning. Info, verbose, and debug are the most commonly used log levels for Drive Encryption.

These logs are created at the following location on the client computer:
"%ProgramFiles%\Symantec\Endpoint Encryption Clients\Management Agent\TechLogs"

The Drive Encryption logs are named in the following format:
eedAAANN.log

where:

  • AAA can be Service, AdminCLI, user, and so on
  • NN is an integer value

Debug logging for Drive Encryption and the Management Agent

You can enable the Drive Encryption and Management Agent debug logging at the following location in the registry hive:
HKLM\Software\Encryption Anywhere\Framework\LoggerConfig

To enable debug logging, you need to set this entry of type string as follows:

  • LogLevel = Debug

The Drive Encryption debug logs are eedServiceNN.log and eeduserNN.log. The Management Agent communication log is EACommunicatorSrvNN.log.

 

Endpoint Encryption for Bitlocker client-side logs

The Endpoint Encryption for Windows installer creates a registry key for managing the Endpoint Encryption for Bitlocker logs by default. This registry key is created at the following location in the registry hive:
HKLM\Software\Encryption Anywhere\Framework\LoggerConfig

Endpoint Encryption for Bitlocker has the following log levels:

LogLevel = ERROR
LogLevel = WARNING
LogLevel = AUDIT
LogLevel = INFO
LogLevel = VERBOSE
LogLevel = DEBUG
LogLevel = OFF

 

By default, the Endpoint Encryption for Bitlocker log's value is set to Warning. Info, verbose, and debug are the most commonly used log levels for Endpoint Encryption for Bitlocker.

These Endpoint Encryption for Bitlocker logs are created at the following location on the client computer:
"%ProgramFiles%\Symantec\Endpoint Encryption Clients\Management Agent\TechLogs"

The Endpoint Encryption for Bitlocker logs are named in the following format:

  • SymBitLockerServiceNN.log
  • BitLockerClientUINN.log

where:

  • NN is an integer value

Debug logging for Endpoint Encryption for Bitlocker

You can enable the Endpoint Encryption for Bitlocker debug logging at the following location in the registry hive:
HKLM\Software\Encryption Anywhere\Framework\LoggerConfig

To enable the Debug logs, you need to set:

  • LogLevel = DEBUG

Removable Media Encryption client-side debug logs

The Endpoint Encryption Client installer does not create a registry key for managing the SEE-RME debug logs by default. You need to enable debug logging for Removable Media Encryption.

To enable debug logging for Removable Media Encryption, create a DWORD value named DebugLevel in the the following registry location:

HKEY_CURRENT_USER\Software\Encryption Anywhere\Removable Storage\Client Database\User Configuration

The DebugLevel value has the following valid values:

  • 1: specifies that only errors are logged
  • 2: specifies that errors and warnings are logged
  • 3: debug level logging

Once you have created the DebugLevel entry, you view the log entries using the Microsoft DebugView utility.

About the Symantec Endpoint Encryption for FileVault logs

Symantec Endpoint Encryption for FileVault has the following types of logs:

  • Daemon logs: com.symantec.encryption.SEEd

  • Agent logs: com.symantec.encryption.SEEAgent

You can view the Symantec Endpoint Encryption for FileVault logs in the following methods by logging as an admin user.

  • Using Console.app
    -Open Console.app

    -In the search field, do the following:
    for daemon logs, enter "com.symantec.encryption.SEEd"
    for Agent logs, enter "com.symantec.encryption.SEEAgent"

    TIP: Starting with Symantec Endpoint Encryption 11.3, the "log show" command is used, which will contain useful information above and beyond the normal SEEd and SEEAgent logs.
  • Open the Terminal for command line access.

    -Run the following command:
    log show --predicate 'subsystem == "<type of logs>"' --info --<time duration>
    where the type of logs are either Daemon logs or Agent logs, and time duration is in hours or days.
    For example, "1h" means logs for past 1 hour and "5d" means logs for past 5 days.

  • To output logs for the SEEd logging for the last hour, run the following command:
    log show --predicate 'subsystem == "com.symantec.encryption.SEEd"' --info --last 1h > /tmp/SEEd.log

  • To output logs for the SEEAgent logging for the last hour, run the following command:
    log show --predicate 'subsystem == "com.symantec.encryption.SEEAgent"' --info --last 1h > /tmp/SEEAgent.log

Logging for Endpoint Encryption for FileVault on Mac

In SEE 11.2.1 and pervious, check the following log locations on Symantec Endpoint Encryption for FileVault management, although it is recommended to upgrade to SEE 11.3 and obtain the logs using "log show" as listed above
~/Library/Logs/SEEagent/SEEAgent.log
/Library/Logs/SEEd/SEEd.log

It is also useful to sometimes gather the following files:
/Library/Application Support/Symantec Endpoint Encryption/see.keychain
/Library/Application Support/Symantec Endpoint Encryption/see.dat