Setup high debug agent logging that persists across reboots for issues that cannot be reproduced on demand

• App Control Console: All Supported Versions
• App Control Windows Agent: All Supported Versions
• Microsoft Windows: All Supported Versions

• Not all issues can be reproduced, so agent debug logs will need to be setup to run permanently until the issue happens again at its random interval

1. Log in to the Console and navigate to Assets > Computers > relevant Computer.
2. In the URL, note the value for host_id (example: https://<ServerAddress>/host-details.php?host_id=74)
3. From the Computer Details page > right hand side > Advanced > Set Debug Level:
   • Debug Level: High & Include Kernel
   • Debug Duration: Permanent
   • Click GO
4. Navigate to https://<ServerAddress>/agent_config.php > Add Agent Config
5. Use the following details:
   • Property Name: TMP-Max Roll QTY (or something memorable)
   • Host ID: Value from Step 2 (ex: 74)
   • Value: max_rolled_trace_logs_to_keep=20
   • Status: Enabled
6. Click Save & add another Agent Config using the following details:
   • Property Name: TMP-Max Roll Size (or something memorable)
   • Host ID: Value from Step 2 (ex: 74)
   • Value: max_rolling_trace_size_mb=500
   • Status: Enabled
7. Click Save & add another Agent Config using the following details:
   • Property Name: Verbose Log Pattern (or something memorable)
   • Host ID: Value from Step 2 (ex: 74)
   • Value: Specify the Target Pattern or path that is being blocked, surrounded by asterisks (do not include drive letter)

     Example: kernelVerboseLogPattern=*Program Files*Accounting*dll*

   • Status: Enabled
8. Optional: to capture logs for specific event like "Execution Block" add a final Agent Config with the following details:
   • Property Name: Automatic Log Capture (or something relevant)
   • Host ID: Value from Step 2 (Ex: 74)
   • Value: Specify the Event Subtype ID and Target Pattern being blocked, surrounded by asterisks (do not include drive letter)

     Example for Unapproved Blocks: capture_log_on_matching_event=subtype=801,filename=*Program Files*Accounting*dll*

   • Status: Enabled
9. After creating these Agent Configs, verify the Agent shows as Connected & Up to Date in Assets > Computers.
10. Once the Agent generates an Event matching the scenario:
    • An Event in the Console will appear with Subtype: Agent Diagnostics Available
    • If desired, create an Alert to trigger on the Event Subtype.
    • Logs will be stored on the endpoint in: C:\ProgramData\Bit9\Parity Agent\Logs\HOSTNAME-Diagnostics-TIMESTAMP.zip
11. Acquire the Diagnostics from the endpoint. 
12. Navigate back to Assets > Computers > relevant Computer > right hand side > Advanced > Set Debug Level > None (default).
13. Disable the Agent Configs created in Steps 5, 6, 7 and 8.
14. Upload the Agent Logs to the support case.
15. After confirming the Agent Logs have been received by Support, it may be beneficial to clear them from the endpoint.

• capture_log_on_matching_event is a Kernel Configuration Property that will trigger the capture of Agent Diagnostic Logs based on the Event Subtype and optional additional criteria.
  • Wildcards * or ? are supported in any string type Criteria
  • There is a built in delay of 5 seconds after the Event to capture possible following activity.
  • There is a built in dwell time of 15 minutes. The auto log capture will not trigger until 15 minutes after the last auto log capture.
  • There is a limit of 10 auto log captures. No auto captures will occur until there are less than 10 captures in the logs directory.
  • The 15 minute dwell time and 10 capture maximum are to stop poorly defined event criteria from generating large numbers of logs.
• Setting the property to an empty string disables auto-logging.
• A list of available Event Subtype IDs can be found on VMware Docs > Server Documentation > Events Guide.
• Criteria for capture_log_on_matching_events include: