search cancel

How to turn up logging for packetcapture not starting

book

Article ID: 198742

calendar_today

Updated On:

Products

Data Loss Prevention Enterprise Suite Data Loss Prevention Core Package

Issue/Introduction

Packetcapture launcher is failing to start and packetcapture logs are not being created.

Environment

Release : 15.8 and above

Component: Packet Capture

Cause

Unlogged error occurred which is preventing packet capture from starting/running correctly. 

  • AD account rather than local account with sudoers
    • By default an AD account will not go through sudoers file to execute sudo commands. AD accounts bypass the /etc/sudoers and /etc/sudoers.d/SymantecDLPDetectionServer files.  
  • 3rd party app replacing sudoers
    • DLP requires the use of Sudoers for packet capture
  • Incorrect permissions on certain files in the DLP directories.
    • Certain files may cause the packet capture software to crash if permissions are incorrectly set.  On several occasions we have observed this problem without any indication in logs even on FINEST level.

 

 

Resolution

Make the following changes to the loggers

in MonitorLogging.Properties:
add:

com.vontu.util.OutputRedirector.level = FINER 

and change:

java.util.logging.FileHandler.level = FINER 

In PacketCaptureLogging.properties:

change:

.level = FINEST 

java.util.logging.FileHandler.level = FINEST 

Recycle the detection server

Now you can use the boxmonitor0.log to see why the packetcapture will not start when packetcapture.log is not being created or written to.