Enable debug logging for VMware Tools Windows File and Network introspection thin agent
Article ID: 339565
Updated On:
Products
VMware vSphere ESXi
Issue/Introduction
This article provides steps to enable logging of the Windows File Introspection and Network Introspection components of NSX Guest Introspection (earlier known as “vShield Endpoint”).
Environment
VMware vShield Endpoint 5.5.x
VMware vShield Endpoint 5.1.x
VMware vShield Endpoint 5.1.x
Resolution
Enabling debug logging for the Windows VMware Tools File introspection thin agent driver (vsepflt.sys):
Caution: This procedure requires you to modify the Windows registry. Before you modify the registry, ensure to take a backup of the registry. For more information on backing up and restoring the registry, see the Microsoft Knowledge Base article.
1. Click Start > Run, type regedit, and click OK. The Registry Editor window opens. For more information, see the Microsoft Knowledge Base article
Note: The preceding links were correct as of 29th April 2021. If you find that the link is broken, provide feedback and VMware will update the link.
2. Create this key using the registry editor:
HKEY_LOCAL_Machine\SYSTEM\CurrentControlSet\services\vsepflt\parameters
3. Create these two DWORDs (log_level and log_dest) under the newly created parameters key:
Note: Ensure that Hexadecimal is selected when putting in these values. The ‘0x’ means hexadecimal, you should not enter ‘0x’ while adding the values in the registry. Selecting hexadecimal is enough.
log_dest
Name: log_dest
Type: DWORD
Value: 0x1
Possible Values for log_dest parameter key:
log_dest
0x1 - Log destination to DbgView or WinDbg
0x2 - Log destination set to vmware.log. You can find the log entries in the vmware.log file located at the virtual machine folder that has issue.
0x3 - Logs to both DbgView and vmware.log
Note: Microsoft document for capturing logs in Microsoft’s DbgView utility. Run DbgView at admin privileges and select ‘Capture Kernel’ under ‘Capture’ menu.
Note: The debug setting can flood the vmware.log file and logs may be throttled in vmware.log. Ensure to disable the debug mode as soon as you have collected all the required information.
log_level
Name: log_level
Type: DWORD
Value: 0x1F
Other Hex equivalents for each logging level for log_level parameter key:
log_dest
0x1 - AUDIT
0x2 - ERROR
0x4 - WARN
0x8 - INFO
0x10 - DEBUG
0x1F - All logs
4. Based on the log_level and log_dest set, you should see the logs at appropriate locations.
Enabling debug logging for the WFP-based Network Introspection driver (vnetWFP.sys)
Please ensure the network introspection driver present in your environment by running following cmd from an elevated (admin privilege) cmd prompt
sc query vnetwfp
Caution: This procedure requires you to modify the Windows registry. Before you modify the registry, ensure to take a backup of the registry. For more information on backing up and restoring the registry, see the Microsoft Knowledge Base article
1. Click Start > Run, type regedit, and click OK. The Registry Editor window opens.
For more information, see the Microsoft Knowledge Base article
Note: The preceding links were correct as of 29th April 2021 If you find a link is broken, provide feedback and VMware will update the link.
2. Create this key using the registry editor:
HKEY_LOCAL_Machine\SYSTEM\CurrentControlSet\services\vnetwfp\parameters
3. Create these two DWORDs (log_level and log_dest) under the newly created parameters key:
Note: Ensure that Hexadecimal is selected when putting in these values. The ‘0x’ means hexadecimal, you should not enter ‘0x’ while adding the values in the registry. Selecting hexadecimal is enough.
log_dest
Name: log_dest
Type: DWORD
Value: 0x1
Possible Values for log_dest parameter key:
log_dest
0x1 - Log destination to DbgView or WinDbg
0x2 - Log destination set to vmware.log. You can find the log entries in the vmware.log file located at the virtual machine folder that has issue.
0x3 - Logs to both DbgView and vmware.log
Note: Capturing logs in Microsoft’s DbgView utility is mentioned here. Run DbgView at admin privileges and select ‘Capture Kernel’ under ‘Capture’ menu.
Note: The debug setting can flood the vmware.log file and logs may be throttled in vmware.log. Ensure to disable the debug mode as soon as you have collected all the required information.
log_level
Name: log_level
Type: DWORD
Value: 0x1F
Other Hex equivalents for each logging level for log_level parameter key:
log_dest
0x1 - AUDIT
0x2 - ERROR
0x4 - WARN
0x8 - INFO
0x10 - DEBUG
0x1F - All logs
4.Based on the log_level and log_dest set, you should see the logs at appropriate locations.
To enable UMC logging:
Note: On Windows XP and Windows Server 2003, create a tools config file if it doesn’t exist in the following path: C:\Documents and Settings\All Users\Application Data\VMware\VMware Tools\tools.conf.
On Windows Vista, Windows 7 and Windows Server 2008, create a tools config file if it doesn’t exist in the following path: C:\ProgramData\VMWare\VMware Tools\tools.conf
The “Application Data” and “ProgramData” folders are hidden. You will need to edit these files as Administrator.
1. Add these lines in the tools.conf file to enable UMC component logging.
With the following setting, the UMC component logs will be printed in the specified log file.
[logging]
log = true
vsep.level = debug
vsep.handler = file
vsep.data = c:/path/to/vsep.log
Caution: This procedure requires you to modify the Windows registry. Before you modify the registry, ensure to take a backup of the registry. For more information on backing up and restoring the registry, see the Microsoft Knowledge Base article.
1. Click Start > Run, type regedit, and click OK. The Registry Editor window opens. For more information, see the Microsoft Knowledge Base article
Note: The preceding links were correct as of 29th April 2021. If you find that the link is broken, provide feedback and VMware will update the link.
2. Create this key using the registry editor:
HKEY_LOCAL_Machine\SYSTEM\CurrentControlSet\services\vsepflt\parameters
3. Create these two DWORDs (log_level and log_dest) under the newly created parameters key:
Note: Ensure that Hexadecimal is selected when putting in these values. The ‘0x’ means hexadecimal, you should not enter ‘0x’ while adding the values in the registry. Selecting hexadecimal is enough.
log_dest
Name: log_dest
Type: DWORD
Value: 0x1
Possible Values for log_dest parameter key:
log_dest
0x1 - Log destination to DbgView or WinDbg
0x2 - Log destination set to vmware.log. You can find the log entries in the vmware.log file located at the virtual machine folder that has issue.
0x3 - Logs to both DbgView and vmware.log
Note: Microsoft document for capturing logs in Microsoft’s DbgView utility. Run DbgView at admin privileges and select ‘Capture Kernel’ under ‘Capture’ menu.
Note: The debug setting can flood the vmware.log file and logs may be throttled in vmware.log. Ensure to disable the debug mode as soon as you have collected all the required information.
log_level
Name: log_level
Type: DWORD
Value: 0x1F
Other Hex equivalents for each logging level for log_level parameter key:
log_dest
0x1 - AUDIT
0x2 - ERROR
0x4 - WARN
0x8 - INFO
0x10 - DEBUG
0x1F - All logs
4. Based on the log_level and log_dest set, you should see the logs at appropriate locations.
Enabling debug logging for the WFP-based Network Introspection driver (vnetWFP.sys)
Please ensure the network introspection driver present in your environment by running following cmd from an elevated (admin privilege) cmd prompt
sc query vnetwfp
Caution: This procedure requires you to modify the Windows registry. Before you modify the registry, ensure to take a backup of the registry. For more information on backing up and restoring the registry, see the Microsoft Knowledge Base article
1. Click Start > Run, type regedit, and click OK. The Registry Editor window opens.
For more information, see the Microsoft Knowledge Base article
Note: The preceding links were correct as of 29th April 2021 If you find a link is broken, provide feedback and VMware will update the link.
2. Create this key using the registry editor:
HKEY_LOCAL_Machine\SYSTEM\CurrentControlSet\services\vnetwfp\parameters
3. Create these two DWORDs (log_level and log_dest) under the newly created parameters key:
Note: Ensure that Hexadecimal is selected when putting in these values. The ‘0x’ means hexadecimal, you should not enter ‘0x’ while adding the values in the registry. Selecting hexadecimal is enough.
log_dest
Name: log_dest
Type: DWORD
Value: 0x1
Possible Values for log_dest parameter key:
log_dest
0x1 - Log destination to DbgView or WinDbg
0x2 - Log destination set to vmware.log. You can find the log entries in the vmware.log file located at the virtual machine folder that has issue.
0x3 - Logs to both DbgView and vmware.log
Note: Capturing logs in Microsoft’s DbgView utility is mentioned here. Run DbgView at admin privileges and select ‘Capture Kernel’ under ‘Capture’ menu.
Note: The debug setting can flood the vmware.log file and logs may be throttled in vmware.log. Ensure to disable the debug mode as soon as you have collected all the required information.
log_level
Name: log_level
Type: DWORD
Value: 0x1F
Other Hex equivalents for each logging level for log_level parameter key:
log_dest
0x1 - AUDIT
0x2 - ERROR
0x4 - WARN
0x8 - INFO
0x10 - DEBUG
0x1F - All logs
4.Based on the log_level and log_dest set, you should see the logs at appropriate locations.
To enable UMC logging:
Note: On Windows XP and Windows Server 2003, create a tools config file if it doesn’t exist in the following path: C:\Documents and Settings\All Users\Application Data\VMware\VMware Tools\tools.conf.
On Windows Vista, Windows 7 and Windows Server 2008, create a tools config file if it doesn’t exist in the following path: C:\ProgramData\VMWare\VMware Tools\tools.conf
The “Application Data” and “ProgramData” folders are hidden. You will need to edit these files as Administrator.
1. Add these lines in the tools.conf file to enable UMC component logging.
With the following setting, the UMC component logs will be printed in the specified log file.
[logging]
log = true
vsep.level = debug
vsep.handler = file
vsep.data = c:/path/to/vsep.log
Additional Information
Feedback
Yes
No
Powered by
