Configuring Endpoint Protection Communication Module Logging in 14.2 and later - CVE.log
search cancel

Configuring Endpoint Protection Communication Module Logging in 14.2 and later - CVE.log

book

Article ID: 171445

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

This article describes steps for configuring the Communication Module logging in Symantec Endpoint Protection Client (SEP) 14.2 and later. This logging is used to troubleshoot communication issues between the SEP client and the Symantec Endpoint Protection Manager (SEPM). The communication module logging replaces Sylink logging functionality.

The log for client communication is cve.log.

Environment

SEP 14.2 and later.

Resolution

This article is specifically for Symantec Endpoint Protection 14.2+ on Windows.

If you have need of troubleshooting Symantec Endpoint Protection client communications on a MAC or Linux device to the Symantec Endpoint Protection Manager see  How to enable SymDaemon debug logging for SEP for Mac and Overview of log and configuration files in SEP for Linux (sylink debugging).

CVE.Log - Client communication logs

  • %programdata%\Symantec\Symantec Endpoint Protection\current version\Data\Logs

To configure Communication Module Logging:

Endpoint Protection 14.3 RU2 and later

In SEP 14.3 RU2 and later Communication Module logging can be enabled using the Client Management debug log settings.

  1. Open the SEP client UI.
  2. Click on Help -> Troubleshooting -> Debug Logs (on the left).
  3. Under Client Management, click the Edit Debug Log Settings button.
  4. Check the Debug On check box.
  5. Leave Debug level at 0.
  6. Set Log level to 0 - Debug (this is equivalent to setting the CVELogLevel registry key to 1).
  7. Set Log file size (KB) to 100000 (increase as needed).
  8. Click OK.

Additional Log level settings are as follows:

  • 0 - Debug is equivalent to CVELogLevel 1
  • 1 - Info is equivalent to CVELogLevel 2
  • 2 - Fatal is equivalent to CVELogLevel 3
  • 3 - Warning is equivalent to CVELogLevel 4

 

Manually creating Debug settings for Endpoint Protection 14.2 and later using the Windows registry.

This method can still be used on 14.3 RU2 and later clients in addition to the UI method mention above.

Caution: Before you begin, you should make a backup of the Windows Registry. See the Microsoft article Back up the registry.

Note: Tamper protection must be disabled before you follow this process. If you do not disable Tamper Protection, it will block the required registry key modifications. To disable Tamper Protection, see the following article: Disable Tamper Protection

  1. To open the Registry Editor, click Start. In the Search programs and files field, enter regedit, and then click regedit.exe from the list of results.
    • Alternately, click Start > Run, enter regedit, and then click OK.
  2. Navigate to the following registry subkey
    • 64-bit prior to 14.3 RU5: HKLM\SOFTWARE\WOW6432Node\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink
    • 64-bit 14.3 RU5 or higher : HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink
    • 32-bit : HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink
  3. Find or create the CVELogLevel (REG_DWORD) value and edit it to set the desired logging level. Supported values are:
  • 1 = Debug
  • 2 = Info
  • 3 = Warn
  • 4 = Error
  • 5 = Fatal

Note: When troubleshooting communication issues, a value of 1 is strongly recommended to ensure that all pertinent data is collected. If this value is not present or is configured to use an invalid value, the product will default to a logging level of 4.

  1. To adjust the maximum size of the logs, locate or create the CVELogSizeMB (REG_DWORD) value and edit it to set the maximum size of the logs in MB. The default size is 250 MB. When size is reached, log file name is appended with _yyyymmdd_hhmmss and new logging is started, so nothing is lost due to the limit.

A service restart is not required for the new settings to take effect.

Log and Data Location:

1. Communication logging will be found under C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Logs in the following two files:

  • cve.log
  • cve-actions.log

2. Additionally, opstate data will be written in the following files under C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\

  • Registrationinfo.xml
  • Registration.xml
  • State.xml

 

Additional Information

For SEP 14 RU1 Mp2 and earlier versions, to enable Sylink debug logging check the below article.

How to debug the Symantec Endpoint Protection client