Increasing the logging level for Endpoint Protection on Linux system
search cancel

Increasing the logging level for Endpoint Protection on Linux system

book

Article ID: 247715

calendar_today

Updated On:

Products

Endpoint Security Complete Endpoint Protection

Issue/Introduction

You want to know how to change the logging level for the following logs used by the Symantec Endpoint Protection (SEP) agent for Linux: 

- Common Agent Framework (cafagent) logging
- Changing the Anti-Malware Daemon (amddaemon) logging
- Changing the CVE logging level
- Extended Liveupdate (i.e Lux and Defutil) logging

Note: Increased logging can affect system performance and should be enabled when troubleshooting an issue with the product. It is recommended to revert the default logging configuration back to the defaults for best performance during normal system operation.

Environment

Symantec Endpoint Protection agent for Linux version 14.3 RU1 and higher.

 

Resolution

The Common Agent Framework (CAF)

The CAF provides information related to agent activities such as communication with the server, enrollment, commands, events, policy version, and content version.

To change the logging level:

  1. Backup the cafagent.log from: /var/log/sdcss-caflog/ and then delete the original
  2. Browse to: /opt/Symantec/cafagent/bin
  3. Open “cafservicemain.properties” in a text editor
  4. At the end of the file, find “logging.loggers.root.level” and set the value of logging.loggers.root.level to debug or trace:
    logging.loggers.root.level = trace
  5. Save the file
  6. Restart the cafagent:
    /etc/init.d/cafagent restart

 

The Antimalware logs (AMD)

The AMD logs provide information related to scanning.

To change the AMD logging level:

  1. Stop the sisamdagent:
    service sisamdagent stop
  2. Browse to: /opt/Symantec/sdcssagent/AMD/system
  3. Open "AntiMalware.ini" in a text editor
  4. Search and update the below strings:
    amdmanagement.antimalware.trace.level=trace
    scanner.trace.level=full
    amdmanagement.logs.max.size=1024
  5. Save the file
  6. Start the sisamdagent:
     
    service sisamdagent start

Note: Revert logging levels back to default after log collection is complete.  Repeat steps 1-6, but replace the logging levels with the default values.

 

The Common Virtual Environment (CVE)

The CVE logs list the communications between the agent and Symantec Endpoint Protection Manager (SEPM).

To change the CVE logging level:

  1. Browse to: /opt/Symantec/cafagent/bin/
  2. Open file "log4j.properties"
  3. Update the string below:
    log4j.rootCategory=DEBUG, A1
    * Configurable log level :DEBUG > INFO > WARN > ERROR > OFF
  4. Save the file
  5. Restart the cafagent
    /etc/init.d/cafagent restart

NOTE: CVE logging does not exist in the cloud-managed SEP agent (SES) 

To set the daily log rotation (can be set in 14.3 RU4 or later):

  1.  Stop the service 
    /usr/lib/symantec/stop.sh
  2. Browse to: /opt/Symantec/cafagent/bin/
  3. Open file "log4j.properties"
  4. Update the string below:
    log4j.appender.A1=org.apache.log4j.DailyRollingFileAppender
  5. Start the service 
     /usr/lib/symantec/start.sh

 

Extended Liveupdate i.e Lux debugging

LiveUpdate logging lists information relating to the process of connecting and downloading live content.

To begin Logging LiveUpdate extended logging:

  1. Create or edit the file: /opt/Symantec/sdcssagent/AMD/sef/config/lux.logging.conf

  2. Make sure the following content is present:

logger.enabled=true
logger.level=debug
logger.sink=file
logger.sink.file.filePath=/opt/Symantec/sdcssagent/AMD/sef/Logs/lux.etl

  1. Save and close the file

At this point, you can either run LiveUpdate manually to generate the log or wait for LiveUpdate to run automatically. The log is unreadable for end users, only Technical Support has the tools required for further analysis.

Extended Lux debugging can be disabled by deleting the file /opt/Symantec/sdcssagent/AMD/sef/config/lux.logging.conf

 

Defutil

Defutil logging is helpful when the LiveUpdate log indicates a successful session, but definition updates are still not being applied.

To begin Defutil logging:

  1. Edit the file: /opt/Symantec/sdcssagent/AMD/sef/config/defutils.conf

  2. Uncomment these lines:

;defutillog_name=defutils.log
;defutillog_dir=/var/log/sdcsslog/amdlog

     3. Save and close the file

     4. Restart the SEP agent:

/usr/lib/symantec/start.sh

Defutils log can be found is the following location: /var/log/sdcsslog/amdlog/defutils.log

Powered by Wolken Software