epolicy Orchestrator Log Files

Reference Guide epolicy Orchestrator Log Files For use with epolicy Orchestrator 4.6.0 Software

COPYRIGHT Copyright 2011 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies. TRADEMARK ATTRIBUTIONS AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. 2 epolicy Orchestrator Log Files Reference Guide For use with epolicy Orchestrator 4.6.0 Software

Contents 1 Preface 5 About this guide.................................. 5 Audience.................................. 5 Conventions................................. 5 What's in this guide.............................. 6 Finding product documentation............................ 6 2 McAfee epolicy Orchestrator log files 7 Log files and their categories............................. 7 Installer logs................................. 7 Server logs.................................. 9 Agent logs................................. 10 Rogue System Detection logs.......................... 11 About log file path variables, file size and backup logs................... 12 Logging levels for debugging............................. 12 Agent activity log.................................. 14 Adjusting the Orion log level............................. 14 Troubleshooting policy updates............................ 15 Interpreting Windows error codes........................... 15 Index 17 epolicy Orchestrator Log Files Reference Guide For use with epolicy Orchestrator 4.6.0 Software 3

Contents 4 epolicy Orchestrator Log Files Reference Guide For use with epolicy Orchestrator 4.6.0 Software

1 Preface This guide provides the information you need to troubleshoot your McAfee product using the log files. Contents About this guide Finding product documentation About this guide This information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized. Audience McAfee documentation is carefully researched and written for the target audience. The information in this guide is intended primarily for: Administrators People who implement and enforce the company's security program. Users People who use the computer where the software is running and can access some or all of its features. Conventions This guide uses the following typographical conventions and icons. Book title or Emphasis Title of a book, chapter, or topic; introduction of a new term; emphasis. Bold User input or Path Code Text that is strongly emphasized. Commands and other text that the user types; the path of a folder or program. A code sample. User interface Hypertext blue Words in the user interface including options, menus, buttons, and dialog boxes. A live link to a topic or to a website. Note: Additional information, like an alternate method of accessing an option. Tip: Suggestions and recommendations. Important/Caution: Valuable advice to protect your computer system, software installation, network, business, or data. Warning: Critical advice to prevent bodily harm when using a hardware product. epolicy Orchestrator Log Files Reference Guide For use with epolicy Orchestrator 4.6.0 Software 5

1 Preface Finding product documentation What's in this guide This guide is organized to help you find the information you need. The log files detailed in this guide represent a subset of all epo log files, with particular attention to those most commonly used when managing and troubleshooting product issues. McAfee epolicy Orchestrator Finding product documentation McAfee provides the information you need during each phase of product implementation, from installation to daily use and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase. Task 1 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com. 2 Under Self Service, access the type of information you need: To access... User documentation Do this... 1 Click Product Documentation. 2 Select a Product, then select a Version. 3 Select a product document. KnowledgeBase Click Search the KnowledgeBase for answers to your product questions. Click Browse the KnowledgeBase for articles listed by product and version. 6 epolicy Orchestrator Log Files Reference Guide For use with epolicy Orchestrator 4.6.0 Software

2 McAfee 2 epolicy Orchestrator log files The log files detailed in this guide represent a subset of all epolicy Orchestrator log files, with particular attention to those most commonly used when managing and troubleshooting product issues. Contents Log files and their categories About log file path variables, file size and backup logs Logging levels for debugging Agent activity log Adjusting the Orion log level Troubleshooting policy updates Interpreting Windows error codes Log files and their categories McAfee epolicy Orchestrator generates a record of its activities and stores the information in many log files. These log files are separated into four categories: Installer logs Include details about installation path, user credentials, database used, and communication ports configured. Server logs Include details about server functionality, client event history, and administrator services. Agent logs Include details about agent installation, wake-up calls, updating, and policy enforcement. Rogue System Detection logs Include details about Rogue System Detection install and uninstall, and Sensor actions. Installer logs Installer log files contain details about the McAfee epolicy Orchestrator installation process including: Actions taken by specific components Administrator services used by the server Success and failure of critical processes epolicy Orchestrator Log Files Reference Guide For use with epolicy Orchestrator 4.6.0 Software 7

2 McAfee epolicy Orchestrator log files Log files and their categories Table 2-1 Installer logs Log file name Description Location Core-install.log Generated during epolicy Orchestrator installation. This file contains details such as: Creation of server database tables Installation of server components [InstallDir] \Installer\core epo-install.log EPO460-Checkin -Failure.log EPO460-CommonSetup.log EPO460-Install-MSI.log Created when the epolicy Orchestrator installer calls the Mercury ANT installer. Generated when the installer fails to check in any of the following package types: Extensions Plug-ins Deployment packages Agent packages Contains details about epolicy Orchestrator 4.6 MSI installer including: CustomAction logging SQL, DTS (Microsoft Data Transformation Services), and service related calls Registering and unregistering DLLs Files and folders marked for deletion at reboot The primary McAfee epo installation log. This file logs all details about the installation including: Installer actions Installation failures [InstallDir] \Installer\epo %temp%\mcafeelogs %temp%\mcafeelogs %temp%\mcafeelogs 8 epolicy Orchestrator Log Files Reference Guide For use with epolicy Orchestrator 4.6.0 Software

McAfee epolicy Orchestrator log files Log files and their categories 2 Server logs Server log files contain details on server functionality and various administrator services used by epolicy Orchestrator version 4.6. Table 2-2 Server logs Log file name Description Location <AgentGuid> _<Timestamp> _Server.xml Contains details about policy updating issues. To enable this file: 1 Browse to the following registry key: HKEY_LOCAL_MACHINE \Software\Network Associates\ePolicy Orchestrator \ 2 create the following DWORD with value 1: SaveAgentPolicy 3 Restart the McAfee epolicy Orchestrator 4.6.0 Server (Apache) service. <InstallDir>\DB \DEBUG McAfee recommends this file be enabled for the minimum duration necessary to capture the required information, as the resulting files grow rapidly. EpoApSvr.log Errorlog.<CURRENT _DATETIME> Eventparser.log Jakarta_service _<DATE>.log Localhost _access_log.<date>.txt Orion.log Replication.log Contains details related to repository actions such as: Pull tasks Checking in deployment packages to the repository Deleting deployment packages from the repository Contains details related to the Apache service. This file is not present until after the Apache service is started for the first time. Contains details about the epolicy Orchestrator event parser services, such as product event parsing success or failure. Contains details about the McAfee epo Application Server service. This file is not present until after the Tomcat service is started for the first time. Records all requests from client systems received by the McAfee epo server. This file is not present until after the Tomcat service is started for the first time. Contains details on server functionalities and all extensions loaded by default. This file is not present until after the McAfee epo Application Server service is started for the first time. The McAfee epo server replication log file. This file is generated when all of the following are true: There are distributed repositories. A replication task has been configured. A replication task has run. <InstallDir>\DB \Logs <InstallDir> \Apache2\logs <InstallDir>\DB \Logs <InstallDir> \Server\logs <InstallDir> \Server\logs <InstallDir> \Server\logs <InstallDir>\DB \Logs epolicy Orchestrator Log Files Reference Guide For use with epolicy Orchestrator 4.6.0 Software 9

2 McAfee epolicy Orchestrator log files Log files and their categories Table 2-2 Server logs (continued) Log file name Description Location Server.log Contains details related to agent-server communications. The Siteinfo.ini file is updated when server port numbers are changed. This log file contains details about the version of Siteinfo.ini file and changed port numbers. <InstallDir>\DB \Logs Stderr.log Contains any Standard Error output that the Tomcat service captures. This file is not present until after the Tomcat service is started the first time. <InstallDir> \Server\logs Table 2-3 File locations in cluster installations Log file name Jakarta_service_<DATE>.log Localhost_access_log.<DATE>.txt Orion.log Stderr.log Location [InstallDir]\Bin\Server\logs [InstallDir]\Bin\Server\logs [InstallDir]\Bin\Server\logs [InstallDir]\Bin\Server\logs Agent logs Agent log files contain actions triggered or taken by the McAfee Agent. Table 2-4 Agent logs Log file name Description Location Agent_<system>.log Generated on client systems when the server deploys an agent to them. This file contains details related to: Agent-to-server communication Policy enforcement Other agent tasks <Agent DATA Path> \DB FrmInst _<system>.log MCScript.log Generated when the FrmInst.exe is used to install the McAfee Agent. This file contains: Informational messages. Progress messages. Failure messages if installation fails. Contains the results of script commands used during agent deployment and updating. To enable the DEBUG mode for this log, set the following DWORD value on the client s registry key: HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\TVD\SHARED COMPONENTS\FRAMEWORK \DWDEBUGSCRIPT=2 %temp%\mcafeelogs <Agent DATA Path> \DB McAfee recommends that you delete this key when you are finished troubleshooting. MfeAgent.MSI.<DATE>.log Contains details about the MSI installation of the agent. %temp%\mcafeelogs 10 epolicy Orchestrator Log Files Reference Guide For use with epolicy Orchestrator 4.6.0 Software

McAfee epolicy Orchestrator log files Log files and their categories 2 Table 2-4 Agent logs (continued) Log file name Description Location PrdMgr_<SYSTEM>.log UpdaterUI _<system>.log Contains details about agent communications with other McAfee products. Contains details of the updates to managed products on the client system. <Agent DATA Path> \DB %temp%\mcafeelogs Agent error logs When the agent traps errors, they are reported in Agent error logs. Agent error logs are named for their primary log counterpart. For example, when errors occur while performing client tasks, the MCScript_Error.log file is created. Error logs contain only details about errors. Rogue System Detection logs Rogue System Detection log files contain details about the installation of and actions performed by the Rogue System Sensor. These logs are located on the system where the sensor is deployed. Table 2-5 Rogue System Detection logs Log file name Description Location RSDSEN450-Install -MSI.log RSDSEN450-Uninstall -MSI.log RSDSensor_out.log Generated on client systems when the server deploys a Rogue System Sensor to a client system. This file contains details related to the sensor install. Generated on client systems when the server removes a Rogue System Sensor from a client system. This file contains details related to sensor uninstall. Contains details about all actions performed by the sensor. %windir%\temp %windir%\temp Program Files \McAfee\RSD Sensor Rogue System Sensor log file configuration The Rogue System Sensor log file (RSDSensor_out.log) can be configured to log specific details. Use the RSSensor_log.cfg to configure the Rogue System RSDSensor_out.log with the following values: DEBUG The most detail available. This setting is useful when very detailed information is necessary for advanced troubleshooting. INFO Provides a high level of detail. This setting is useful when working with product support to resolve specific issues. WARN Provides a moderate level of detail appropriate for most troubleshooting scenarios. ERROR Provides the lowest level of logging. Use the following table to set log properties to output the details you need. Table 2-6 RSSensor_log.cfg properties and values Property Description Default value Modify value for troubleshooting log4cplus.rootlogger This is the root logger. All loggers that do not have a specifically assigned value use the value set here. WARN DEBUG log4cplus.logger. RSDSensor.NetListener This is the logger for network traffic visible to the sensor. WARN DEBUG epolicy Orchestrator Log Files Reference Guide For use with epolicy Orchestrator 4.6.0 Software 11

2 McAfee epolicy Orchestrator log files About log file path variables, file size and backup logs Table 2-6 RSSensor_log.cfg properties and values (continued) Property Description Default value Modify value for troubleshooting log4cplus.logger. RSDSensor.Resolver This is the logger for the host resolver which the sensor uses to determine operating system information. WARN DEBUG log4cplus.logger. RSDSensor.ServerCom This is the logger for controlling the level of log messages between the sensor and the server. INFO DEBUG About log file path variables, file size and backup logs The locations of log files depend on how and where epolicy Orchestrator and the agent is installed in your environment. The following table defines the path variables used to describe log file locations in this document. Table 2-7 Path variables Variable Description <Agent DATA Path> To determine the actual location of the agent data files, view this registry key HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\TVD\SHARED COMPONENTS\FRAMEWORK\DATA PATH. For more information, see Agent installation directory in the epolicy Orchestrator Product Guide or Help. %temp% <InstallDir> This is the Temp folder of the currently logged on user. To access this folder, select Start Run, then type %temp% in the Open text box, and click OK. The default location of the epolicy Orchestrator server software is C:\PROGRAM FILES\MCAFEE\EPOLICY ORCHESTRATOR Log file size and backup logs When a log file reaches it maximum size, backup is added before the file name extension and a new log file is created. For example, when Agent_<SYSTEM>.log reaches it maximum size, it is renamed Agent_<SYSTEM>_backup.log. If a backup log already exists, it is overwritten. Depending on how recently the backup was created, it might contain current entries. Examine both log files to make sure you view all current entries. To change the log size, create the DWORD value LOGSIZE in the registry key HKEY_LOCAL_MACHINE \Software\Network Associates\ePolicy Orchestrator, then set the value data to the size desired. For example, 20=20MB. Logging levels for debugging This section provides information about setting the logging levels for logs in general. For information about adjusting the logging of the Tomcat servlet container, see Adjusting the Orion log level. 12 epolicy Orchestrator Log Files Reference Guide For use with epolicy Orchestrator 4.6.0 Software

McAfee epolicy Orchestrator log files Logging levels for debugging 2 The scope and depth of the information in most log files are determined by the log level, a value ranging from 1 to 8. Messages logged at each level include all messages at the current level and all lower logging levels. The default value (7) is generally considered adequate for ordinary debugging. Log level 8 produces output, including every SQL query, whether or not there is an error. Log level 8 also provides communication details for troubleshooting network and proxy server issues. The following table describes each message type and logging level. Table 2-8 Messages reported at each log level Message type Description Logging level e (error) User error message, translated 1 w (warning) User warning message, translated 2 I (information) User information message, translated 3 x (extended data) User extended information message, translated 4 E (error) Debug error message, English only 5 W (warning) Debug warning message, English only 6 I (information), or none Debug information message, English only 7 X (extended data) Debug extended information message, English only 8 The following table lists the locations of the values that control logging levels, which can be modified. You cannot modify the logging levels of all logs. Table 2-9 Location of values controlling log levels and when they take effect Log file Location of controlling log level value Setting change takes effect... Agent_<system>.log Core-install.log EpoApSvr.log Errorlog.<CURRENT _DATETIME>.log Eventparser.log FrmInst_<system>.log Jakarta_Service _<DATE>.log Localhost_access _log.<date>.txt DWORD registry value at: HKEY_LOCAL_MACHINE \SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL Cannot change DWORD registry value at: HKEY_LOCAL_MACHINE \SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL Not applicable. This file is created by the Apache service. DWORD registry value at: HKEY_LOCAL_MACHINE \SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL DWORD registry value at: HKEY_LOCAL_MACHINE \SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL For more information, see Adjusting the Orion log level. For more information, see Adjusting the Orion log level. Within one minute. Within one minute. Within one minute. At run-time. Upon startup of epolicy Orchestrator Application Server service. Upon startup of epolicy Orchestrator Server service. epolicy Orchestrator Log Files Reference Guide For use with epolicy Orchestrator 4.6.0 Software 13

2 McAfee epolicy Orchestrator log files Agent activity log Table 2-9 Location of values controlling log levels and when they take effect (continued) Log file Location of controlling log level value Setting change takes effect... MCSCRIPT.log Orion.log PrdMgr_<SYSTEM>.log Windows platforms: dwdebugscript in HKEY_LOCAL_MACHINE\Software\Network Associates\TVD\Shared Components\Framework UNIX platforms: DebugScript in /etc/cma.d/<epo Agent's software ID>/config.xml <INSTALL DIR>\SERVER\CONF\ORION \LOG-CONFIG.XML. See MaxFileSize parameter value in Rolling log file section. See also Priority Value in <root> section. DWORD registry value at: HKEY_LOCAL_MACHINE \SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL Immediately Upon startup of epolicy Orchestrator Application Server service. Within one minute. Replication.log Cannot change. Within one minute. Server.log Stderr.log UpdaterUI_<SYSTEM>.log DWORD registry value at: HKEY_LOCAL_MACHINE \SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL Cannot change. DWORD registry value at: HKEY_LOCAL_MACHINE \SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL Upon startup of epolicy Orchestrator Server service. Within one minute. Agent activity log The agent activity log (AGENT_<SYSTEM>.XML) contains copies of messages from the AGENT_<SYSTEM>.LOG, including translated messages, of types e, w, and i, (corresponding to logging levels 1 3). This file is not intended for debugging, but as information for users not likely to be troubleshooting. Messages of type x (logging level 4) can be included in the activity log. For information on setting levels, see Logging levels for debugging. Information in the activity log also appears in the Agent Monitor. If you enable remote access to the agent activity log file, you can also view the agent debug log files remotely by clicking View debug log (current or previous) in the header of the Show Agent Log display. For instructions, see Agent Activity Logs and Viewing the agent activity log in the epolicy Orchestrator Product Guide or Help. Adjusting the Orion log level The orion.log file is created by the epolicy Orchestrator Application Server. To adjust its logging level, do the following. Task 1 Using a text editor, open the Log-Config.xml file, located at: C:\PROGRAMFILES>\McAfee\ePolicyOrchestrator\Server\conf\orion 14 epolicy Orchestrator Log Files Reference Guide For use with epolicy Orchestrator 4.6.0 Software

McAfee epolicy Orchestrator log files Troubleshooting policy updates 2 2 In the following line of text, replace warn with info or debug : <root><priority value ="warn"/><appender-ref ref="rolling" /><appender-ref ref="stdout/></root> Use debug only when troubleshooting for a short period of time. Setting the priority value to debug causes the old log files to be deleted frequently. 3 Save and close the file. Tomcat automatically adjusts the log level when the epolicy Orchestrator Application Server services is restarted. Troubleshooting policy updates To troubleshoot incremental policy update issues from the server-side, do the following. Task 1 Create the DWORD registry value SAVEAGENTPOLICY = 1 in: HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR 2 Restart all epolicy Orchestrator services. The epolicy Orchestrator server creates the file <AGENTGUID>_<TIMESTAMP>_SERVER.XML at <INSTALLATION PATH>\DB\DEBUG, which contains a copy of the content that the server deployed. Interpreting Windows error codes To understand Windows error messages, identify the error code and look it up in the MSDN library. Task 1 Locate messages of type e or E in the log file. 2 Identify the time that the problem occurred, if known. 3 Note the Windows error code associated with the problem event. 4 Find the error code in the MSDN library at: http://msdn2.microsoft.com/en-us/library/ms681381.aspx For example, when tracking down an error message that includes code 1326, navigate to and click the code in the list of system error codes. The explanation of the code is displayed: 1326 ERROR_LOGON_FAILURE Logon failure: unknown user name or bad password You can also use the ERRLOOK.EXE utility to determine the cause of these error codes. This utility is distributed with Microsoft Visual Studio. epolicy Orchestrator Log Files Reference Guide For use with epolicy Orchestrator 4.6.0 Software 15

2 McAfee epolicy Orchestrator log files Interpreting Windows error codes 16 epolicy Orchestrator Log Files Reference Guide For use with epolicy Orchestrator 4.6.0 Software

Index A about this guide 5 C conventions and icons used in this guide 5 D documentation audience for this guide 5 product-specific, finding 6 typographical conventions and icons 5 S ServicePortal, finding product documentation 6 T Technical Support, finding product information 6 W what's in this guide 6 M McAfee ServicePortal, accessing 6 epolicy Orchestrator Log Files Reference Guide For use with epolicy Orchestrator 4.6.0 Software 17

00