Configuring Endpoint Protection Communication Module Logging in 14.2 and later

book

Article ID: 171445

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

This article describes steps for configuring the Communication Module logging in Symantec Endpoint Protection (SEP) 14.2 and later. This logging is used to troubleshoot communication issues between the SEP client and the Symantec Endpoint Protection Manager (SEPM). Communication module logging replaces Sylink logging.

Environment

SEP 14.2 and later.

Resolution

This article is for SEP on Windows. See otherwise How to enable SymDaemon debug logging for SEP for Mac and Overview of log and configuration files in SEP for Linux (sylink debugging).

 

To configure Communication Module Logging:

Endpoint Protection 14.3 RU2 and later

In SEP 14.3 RU2 and later Communication Module logging can be enabled using the Client Management debug log settings

  1. Open the SEP client UI.
  2. Click on Help -> Troubleshooting -> Debug Logs (on the left).
  3. Under Client Management, click the Edit Debug Log Settings button.
  4. Check the Debug On check box.
  5. Leave Debug level at 0.
  6. Set Log level to 0 - Debug (this is equivalent to setting the CVELogLevel registry key to 1).
  7. Set Log file size (KB) to 100000 (increase as needed).
  8. Click OK.

Additional Log level settings are as follows:

  • 0 - Debug is equivalent to CVELogLevel 1
  • 1 - Info is equivalent to CVELogLevel 2
  • 2 - Fatal is equivalent to CVELogLevel 3
  • 3 - Warning is equivalent to CVELogLevel 4

 

Endpoint Protection 14.2 and later

This method can still be used on 14.3 RU2 and later clients in addition to the UI method mention above.

Caution: Before you begin, you should make a backup of the Windows Registry. See the Microsoft article Back up the registry.

Note: Tamper protection must be disabled before you follow this process. If you do not disable Tamper Protection, it will block the required registry key modifications. To disable Tamper Protection, see the following article: Disable Tamper Protection

  1. To open the Registry Editor, click Start. In the Search programs and files field, enter regedit, and then click regedit.exe from the list of results.
    • Alternately, click Start > Run, enter regedit, and then click OK.
  2. Navigate to the following registry subkey
    • HKLM\SOFTWARE\WOW6432Node\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink
  3. Find or create the CVELogLevel (REG_DWORD) value and edit it to set the desired logging level. Supported values are:
  • 1 = Debug
  • 2 = Info
  • 3 = Warn
  • 4 = Error
  • 5 = Fatal

Note: When troubleshooting communication issues, a value of 1 is strongly recommended to ensure that all pertinent data is collected. If this value is not present or is configured to use an invalid value, the product will default to a logging level of 4.

  1. To adjust the maximum size of the logs, locate or create the CVELogSizeMB (REG_DWORD) value and edit it to set the maximum size of the logs in MB. The default size is 250 MB. When size is reached, log file name is appended with _yyyymmdd_hhmmss and new logging is started, so nothing is lost due to the limit.

A service restart is not required for the new settings to take effect.

Note: For Mac specific instructions please see TECH132983

Log and Data Location:

1. Communication logging will be found under C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Logs in the following two files:

  • cve.log
  • cve-actions.log

2. Additionally, opstate data will be written in the following files under C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\

  • Registrationinfo.xml
  • Registration.xml
  • State.xml