You want to know how to change the logging level for the following logs used by the Symantec Endpoint Protection (SEP) agent for Linux:
- Common Agent Framework (cafagent) logging
- Changing the Anti-Malware Daemon (amddaemon) logging
- Changing the CVE logging level
- Extended Liveupdate (i.e Lux and Defutil) logging
Note: Increased logging can affect system performance and should be enabled when troubleshooting an issue with the product. It is recommended to revert the default logging configuration back to the defaults for best performance during normal system operation.
Symantec Endpoint Protection agent for Linux version 14.3 RU1 and higher.
The CAF provides information related to agent activities such as communication with the server, enrollment, commands, events, policy version, and content version.
To change the logging level:
logging.loggers.root.level = trace
/etc/init.d/cafagent restart
The AMD logs provide information related to scanning.
To change the AMD logging level:
service sisamdagent stop
amdmanagement.antimalware.trace.level=trace
scanner.trace.level=full
amdmanagement.logs.max.size=1024
service sisamdagent start
Note: Revert logging levels back to default after log collection is complete. Repeat steps 1-6, but replace the logging levels with the default values.
The CVE logs list the communications between the agent and Symantec Endpoint Protection Manager (SEPM).
To change the CVE logging level:
log4j.rootCategory=DEBUG, A1
* Configurable log level :DEBUG > INFO > WARN > ERROR > OFF/etc/init.d/cafagent restart
NOTE: CVE logging does not exist in the cloud-managed SEP agent (SES)
To set the daily log rotation (can be set in 14.3 RU4 or later):
/usr/lib/symantec/stop.sh
log4j.appender.A1=org.apache.log4j.DailyRollingFileAppender
/usr/lib/symantec/start.sh
LiveUpdate logging lists information relating to the process of connecting and downloading live content.
To begin Logging LiveUpdate extended logging:
Create or edit the file: /opt/Symantec/sdcssagent/AMD/sef/config/lux.logging.conf
Make sure the following content is present:
logger.enabled=true
logger.level=debug
logger.sink=file
logger.sink.file.filePath=/opt/Symantec/sdcssagent/AMD/sef/Logs/lux.etl
Save and close the file
At this point, you can either run LiveUpdate manually to generate the log or wait for LiveUpdate to run automatically. The log is unreadable for end users, only Technical Support has the tools required for further analysis.
Extended Lux debugging can be disabled by deleting the file /opt/Symantec/sdcssagent/AMD/sef/config/lux.logging.conf
Defutil logging is helpful when the LiveUpdate log indicates a successful session, but definition updates are still not being applied.
To begin Defutil logging:
Edit the file: /opt/Symantec/sdcssagent/AMD/sef/config/defutils.conf
Uncomment these lines:
;defutillog_name=defutils.log
;defutillog_dir=/var/log/sdcsslog/amdlog
3. Save and close the file
4. Restart the SEP agent:
/usr/lib/symantec/start.sh
Defutils log can be found is the following location: /var/log/sdcsslog/amdlog/defutils.log