Increasing the logging level for Endpoint Protection on Linux system
search cancel

Increasing the logging level for Endpoint Protection on Linux system

book

Article ID: 247715

calendar_today

Updated On:

Products

Endpoint Security Complete Endpoint Protection

Issue/Introduction

You want to know how to change the logging level on the following logs used in Symantec Endpoint Protection [SEP] Client for Linux: 

- Common Agent Framework (cafagent)
- Changing the AMD logging level
- Changing the CVE logging level.
- Extended Liveupdate i.e Lux debugging

(Note that increased logging can affect system performance and should be performed with the help of Broadcom Support. If you need to continue, it is important to remember to revert to the default logging configuration for best performance.)

 

Environment

SEP client for Linux version 14.3 RU1 and higher 

 

Resolution

The Common Agent Framework (CAF)

The CAF provides information related to agent activities such as communication with the server, enrollment, commands, events, policy version, and content version.

To change the logging level:

  1. Backup the cafagent.log from: /var/log/sdcss-caflog/ and then delete the original
  2. Browse to: /opt/Symantec/cafagent/bin
  3. Open “cafservicemain.properties” in a text editor
  4. At the end of the file, find “logging.loggers.root.level” and set the value of logging.loggers.root.level to debug or trace:
    logging.loggers.root.level= trace
  5. Save the file
  6. Restart the cafagent:
    /etc/init.d/cafagent restart

 

The Antimalware logs (AMD)

The AMD logs provide information related to scanning.

To change the AMD logging level:

  1. Stop the sisamdagent:
    service sisamdagent stop
  2. Browse to: /opt/Symantec/sdcssagent/AMD/system
  3. Open "AntiMalware.ini" in a text editor
  4. Search and update the below strings:
    amdmanagement.antimalware.trace.level=trace
    scanner.trace.level=full
  5. Save the file
  6. Start the sisamdagent:
    service sisamdagent start

Note: Revert logging levels back to default after log collection is complete.  Repeat steps 1-6, but replace the logging levels with the default values.

 

The Common Virtual Environment (CVE)

The CVE logs list the communications between the agent and Symantec Endpoint Protection Manager (SEPM).

To change the CVE logging level:

  1. Browse to: /opt/Symantec/cafagent/bin/
  2. Open file "log4j.properties"
  3. Update the string below:
    log4j.rootCategory=DEBUG, A1
  4. Save the file
  5. Restart the cafagent
    /etc/init.d/cafagent restart

 

Extended Liveupdate i.e Lux debugging

LiveUpdate logging lists information relating to the process of connecting and downloading live content.

To begin Logging LiveUpdate extended logging:

  1. Create the file: /opt/Symantec/sdcssagent/AMD/sef/config/lux.logging.conf

  2. Enter the following contents to the above file:

logger.enabled=true
logger.level=debug
logger.sink=file
logger.sink.file.filePath=/opt/Symantec/sdcssagent/AMD/sef/Logs/devlux.log
  1. Save and close the file

At this point, you can either run LiveUpdate manually to generate the log or wait for LiveUpdate to run automatically.
The log can be viewed at /opt/Symantec/sdcssagent/AMD/sef/Logs/devlux.log.

Extended Lux debugging can be disabled by deleting the file /opt/Symantec/sdcssagent/AMD/sef/config/lux.logging.conf