Overview of log and configuration files in Symantec Endpoint Protection for Linux (versions 14.3.1169 or older)
search cancel

Overview of log and configuration files in Symantec Endpoint Protection for Linux (versions 14.3.1169 or older)

book

Article ID: 161862

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

What kinds of debug logging does Symantec Endpoint Protection (SEP) for Linux produce, where are the log and configuration files, and how is logging configured?

 

Environment

NOTE: This article is only for SEP for Linux versions 14.3 MP1 (14.3.1169) or older. For SEP Linux Agent 14.3 RU1 (14.3.3384) or newer, see Troubleshooting the Symantec Linux Agent

Resolution

SEP for Linux configuration files:

  • /etc/Symantec.conf - BaseDir and JAVA_HOME paths used by SEP. These should not be changed, with the exception of JAVA_HOME, when necessary.​ JAVA_HOME is not used in SEP 14 and newer.

SEP for Linux logging:

  • installation logs
  • sylink: client-server communications
  • vpdebug: antivirus configuration and scans
  • liveupdate: antivirus definition update downloads 
  • defutil: antivirus definition update processing (post-download)
  • daemon debug logging: rtvscand, smcd, symcfgd --- of lesser utility than those above
  • syslog: client system event logging

Installation

Not all logs may be present, depending on version and components chosen for installation:

/root/sepap-install.log
/root/sepap-legacy-install.log
/root/sepfl-install.log
/root/sepfl-kbuild.log
/root/sep-install.log
/root/sepjlu-install.log
/root/sepui-install.log

Sylink/Communication Module

In SEP 14 and newer, path is /var/symantec/sep/Logs/debug.log

To enable sylink debug logging, create a new text file named /etc/symantec/sep/log4j.properties, with the following contents:

log4j.appender.A1=org.apache.log4j.FileAppender
log4j.appender.A1.fileName=/var/symantec/sep/Logs/debug.log
log4j.appender.A1.layout=org.apache.log4j.PatternLayout
log4j.appender.A1.layout.ConversionPattern=%d{%Y-%m-%dT%H:%M:%S.%l%Z} %t %p %c{2.EN_US} %m%n
log4j.rootCategory=DEBUG, A1

Then, restart the smc daemon:

sudo service smcd restart 

Note : Debug logging is for troubleshooting purpose and is recommended to disable after the log collection is completed.

Vpdebug

vpdebug logging is saved to /opt/Symantec/symantec_antivirus/vpdebug.log

To enable vpdebug:

cd /opt/Symantec/symantec_antivirus
sudo ./symcfg add --key '\Symantec Endpoint Protection\AV\ProductControl\' --value 'Debug' --data 'ALL' --type REG_SZ

Repeat the command above with an empty --data string to turn vpdebug off. Restart rtvscand for settings change to take effect:

sudo service rtvscand restart

WARNING: SEP for Linux vpdebug logging will quickly grow quite large.

Note : Debug logging is for troubleshooting purpose and is recommended to disable after the log collection is completed.

LiveUpdate

  • SEP 14 and newer
    LiveUpdate logging is saved by default to /opt/Symantec/LiveUpdate/Logs/lux.log

    Extended lux debug logging can be enabled by creating /etc/symantec/lux.logging.conf (NOT /etc/symantec/sep/...) with the following contents:
logger.enabled=true
logger.level=debug
logger.sink=file
logger.sink.file.filePath=/opt/Symantec/LiveUpdate/Logs/devlux.log
  • lux.logging.conf parameters are case sensitive.

    Multiple devlux_####.log files will be generated, each suffixed with the PID of the liveupdate process.

    You may optionally set "logger.sink=console,file" so that LiveUpdate command line (sav liveupdate -u) will also echo lux debug logging to stdout.  

Note : Debug logging is for troubleshooting purpose and is recommended to disable after the log collection is completed.

Defutil

Defutil logging is saved to /opt/Symantec/virusdefs/defutil.log (for example). The log name is specified in configuration below; "defutil.log" is used here, but any name may do. Defutil logging is helpful when the LiveUpdate log indicates a successful session, but definition updates are still not being applied. For example, "Failure in post processing" error seen at the command line when attempting to update definitions. To enable defutil logging, edit or create the following file: /etc/symc-defutils.conf, add a [defutillog] section if it does not exist, and add "defutillog_name=defutil.log".

Example entry in symc-defutils.conf:

[defutillog]
defutillog_name=defutil.log


In SEP 14.2 and newer, create empty defutil.log under /opt/Symantec/virusdefs directory first before editting symc-defutils.conf.

Syslog

System event logging is saved by default to /var/symantec/Logs/syslog.log and is always on.

Events which can be observed in the system event log include:

  • A LiveUpdate session ran successfully
  • Applied new policy
  • Connected to Symantec Endpoint Protection Manager
  • Received a new policy 
  • Symantec Management Client has been started/stopped
  • The client has successfully downloaded and applied license file