Overview of log and configuration files in Symantec Endpoint Protection for Linux

book

Article ID: 161862

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

What kinds of debug logging does SEP for Linux produce, where are the log and configuration files, and how is logging configured?

 

 

Resolution

SEP for Linux configuration files:

  • /etc/liveupdate.conf - Not present in SEP 14 and newer. LiveUpdate configuration in SEP 12.1.x. See The default contents of liveupdate.conf in SEP for Linux.
  • /etc/Symantec.conf - BaseDir and JAVA_HOME paths used by SEP. These should not be changed, with the exception of JAVA_HOME, when necessary.​ JAVA_HOME is not used in SEP 14 and newer.

SEP for Linux logging:

  • installation logs
  • sylink: client-server communications
  • vpdebug: antivirus configuration and scans
  • liveupdate: antivirus definition update downloads 
  • defutil: antivirus definition update processing (post-download)
  • daemon debug logging: rtvscand, smcd, symcfgd --- of lesser utility than those above
  • syslog: client system event logging

Installation

Not all logs may be present, depending on version and components chosen for installation:

/root/sepap-install.log
/root/sepap-legacy-install.log
/root/sepfl-install.log
/root/sepfl-kbuild.log
/root/sep-install.log
/root/sepjlu-install.log
/root/sepui-install.log

Sylink/Communication Module

Sylink logging in SEP 12.1.x is saved to /var/symantec/Logs/debug.log.
In SEP 14 and newer, path is /var/symantec/sep/Logs/debug.log

To enable sylink debug logging, create a new text file named /etc/symantec/sep/log4j.properties (/etc/symantec/log4j.properties in SEP 12.1.x), with the following contents:

log4j.appender.A1=org.apache.log4j.FileAppender
log4j.appender.A1.fileName=/var/symantec/sep/Logs/debug.log # NOTE: change this to /var/symantec/Logs/debug.log in SEP 12.1.x)
log4j.appender.A1.layout=org.apache.log4j.PatternLayout
log4j.appender.A1.layout.ConversionPattern=%d{%Y-%m-%dT%H:%M:%S.%l%Z} %t %p %c{2.EN_US} %m%n
log4j.rootCategory=DEBUG, A1

Then, restart the smc daemon:

sudo service smcd restart 

Vpdebug

vpdebug logging is saved to /opt/Symantec/symantec_antivirus/vpdebug.log

To enable vpdebug:

cd /opt/Symantec/symantec_antivirus
sudo ./symcfg add --key '\Symantec Endpoint Protection\AV\ProductControl\' --value 'Debug' --data 'ALL' --type REG_SZ

Repeat the command above with an empty --data string to turn vpdebug off. Restart rtvscand for settings change to take effect:

sudo service rtvscand restart

WARNING: SEP for Linux vpdebug logging will quickly grow quite large.

LiveUpdate

  • SEP 12.1.x
    LiveUpdate logging is saved by default to /opt/Symantec/LiveUpdate/liveupdt.log and is always on. The default liveupdt.log file path can be changed by editing /etc/liveupdate.conf. See The default contents of liveupdate.conf in SEP for Linux.
     
  • SEP 14 and newer
    LiveUpdate logging is saved by default to /opt/Symantec/LiveUpdate/Logs/lux.log

    Extended lux debug logging can be enabled by creating /etc/symantec/lux.logging.conf (NOT /etc/symantec/sep/...) with the following contents:
logger.enabled=true
logger.level=debug
logger.sink=file
logger.sink.file.filePath=/opt/Symantec/LiveUpdate/Logs/devlux.log
  • lux.logging.conf parameters are case sensitive.

    Multiple devlux_####.log files will be generated, each suffixed with the PID of the liveupdate process.

    You may optionally set "logger.sink=console,file" so that LiveUpdate command line (sav liveupdate -u) will also echo lux debug logging to stdout.  

Defutil

Defutil logging is saved to /opt/Symantec/virusdefs/defutil.log (for example). The log name is specified in configuration below; "defutil.log" is used here, but any name may do. Defutil logging is helpful when the LiveUpdate log indicates a successful session, but definition updates are still not being applied. For example, "Failure in post processing" error seen at the command line when attempting to update definitions. To enable defutil logging, edit or create the following file: /etc/symc-defutils.conf, add a [defutillog] section if it does not exist, and add "defutillog_name=defutil.log".

Example entry in symc-defutils.conf:

[defutillog]
defutillog_name=defutil.log


In SEP 14.2 and newer, create empty defutil.log under /opt/Symantec/virusdefs directory first before editting symc-defutils.conf.

Syslog

System event logging is saved by default to /var/symantec/Logs/syslog.log and is always on.

Events which can be observed in the system event log include:

  • A LiveUpdate session ran successfully
  • Applied new policy
  • Connected to Symantec Endpoint Protection Manager
  • Received a new policy 
  • Symantec Management Client has been started/stopped
  • The client has successfully downloaded and applied license file