When attempting to review the Anti-Malware Daemon (AMD) logs on a Symantec Endpoint Protection (SEP) Linux agent, the file /var/log/sdcsslog/amdlog/sisamd_0.log is missing from the directory. This article explains the scenarios in which this log file may be absent, deleted, or rotated.

SEP 14.3 RU1 and later Linux agents

The creation, rotation, and deletion of sisamd_*.log files are governed by the settings within the Anti-Malware Daemon configuration files.

Configuration File Paths

The parameters controlling log behavior are located in:

• /opt/Symantec/sdcssagent/AMD/system/AntiMalware.ini
• /opt/Symantec/sdcssagent/AMD/system/AntiMalware.ini.1

Log Rotation Parameters

The following settings in the .ini files define the size thresholds for the logs:

Log Rotation Logic

The SEP Linux agent manages logs through a sequential rotation process:

• Individual File Limit: When sisamd_0.log exceeds the size specified in amdmanagement.log.rotate.size (default 10 MB), the agent rotates the file and begins writing to the next incremented filename (e.g., sisamd_1.log).
• Total Directory Limit: The agent continuously monitors the total size of all files matching the sisamd_*.log pattern.
• Automatic Deletion: If the total size of these logs exceeds the amdmanagement.logs.max.size (default 100 MB), the agent automatically deletes the oldest log file to make room for new data.

Service Restart Behavior

Note that whenever the sisamdagent service is restarted, the logging process resets. The agent will immediately begin writing new entries to sisamd_0.log, regardless of the previous state of the log files.