Enabling SECARS and SECREG debugging for Endpoint Protection Manager

book

Article ID: 161969

calendar_today

Updated On:

Products

Endpoint Protection Network Access Control

Issue/Introduction

The Symantec Endpoint Protection Manager (SEPM) uses an Apache Web server to host client-server communications. Client registrations are handled by the SECREG module, while Client heartbeats and log forwarding are handled by the SECARS module. Both of these modules provide basic logging by default.

Use these steps to enable verbose debug logging when troubleshooting problems with Symantec Endpoint Protection (SEP) client registration, heartbeats, or log forwarding to their manager.

Resolution

  1. If the SEP client is installed to the manager, Disable Tamper Protection.
  2. In the Windows registry, navigate to the following key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\SEPM
    Or on 32-bit Operating Systems:
    HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SEPM
     
  3. Set the DWORD value DebugLevel to 4:
  4. If you need to limit the maximum size of the logs, set the DWORD value LogMaxDataLen to 0c350000 (to set a max size of 200mb).
    Note: If the "LogMaxDataLen" value is missing, Create a DWORD value of the same name. 
  5. If you need to increase the number of logs generated, set the DWORD value LogMaxRollingLogFiles to 0000000a (to keep 10 files).
    Note: If the "LogMaxRollingLogFiles" value is missing, Create a DWORD value of the same name. 
  6. Restart the Symantec Endpoint Protection Manager Webserver service.
  7. Locate ersecreg.log and ersecars.log in the C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\inbox\log folder.