ePolicy Orchestrator 5.1 Log File Reference Guide
advertisement
Reference Guide McAfee ePolicy Orchestrator 5.1.0 Software Log Files ePolicy Orchestrator log files The log files detailed in this guide represent a subset of all McAfee® ePolicy Orchestrator® log files, with particular attention to the log files used when managing and troubleshooting product issues. Log files and their categories McAfee ePolicy Orchestrator provides log files that contain important information when troubleshooting. These log files are separated into three categories: • Installer logs — Include details about installation path, user credentials, database used, and communication ports configured. • Server logs — Include details about server functionality, client event history, and administrator services. • Agent logs — Include details about agent installation, wake‑up calls, updating, and policy enforcement. Path variables used The locations of log files depend on how and where ePolicy Orchestrator and the agent are installed in your environment. These variables are used in this document to describe locations of the log files. Variable Description [Agent DATA Path] To determine the actual location of the agent data files, view this registry key HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\TVD\SHARED COMPONENTS \FRAMEWORK\DATA PATH. For more information, see Agent installation directory in the ePolicy Orchestrator Product Guide or Help. %temp% This is the Temp folder of the currently logged on user. To access this folder, select Start | Run, then type %temp% in the Open text box, and click OK. [InstallDir] The default location of the ePolicy Orchestrator server software is C:\PROGRAM FILES\MCAFEE\EPOLICY ORCHESTRATOR. 1 Installer logs Installer log files list details about the ePolicy Orchestrator installation process. These logs provide information about: • Actions taken by specific components • Administrator services used by the server • Success and failure of critical processes File name Log type Location Description AH500‑Install‑MSI.log Agent Handler installation %temp%\McAfeeLogs This file logs all Agent Handler installation details including: • Installer actions • Installation failures AH500‑ahetupdll.log Temporary %temp% (on the Agent Handler server) Logs Agent Handler back‑end events. core‑install.log Temporary %temp%\McAfeeLogs \ePO500 ‑Troubleshoot\MFS Generated when ePolicy Orchestrator installer calls the MFS ANT installer. Provides information on: • Creation of server database tables • Installation of server components This file is deleted if the installation succeeds. epo‑install.log Installation %temp%\McAfeeLogs \ePO500 ‑Troubleshoot \Mercury Framework Created when the ePolicy Orchestrator installer calls the ANT installer. EPO500‑Checkin‑Failure .log Installation %temp%\McAfeeLogs Generated when ePolicy Orchestrator installer fails to check in any of these package types: • Extensions • Plug-ins • Deployment packages • Agent packages EPO500‑CommonSetup.log Installation %temp%\McAfeeLogs Contains ePolicy Orchestrator installer details such as: • Custom Action logging • SQL, DTS (Microsoft Data Transformation Services), and service-related calls • Registering and unregistering DLLs • Files and folders selected for deletion at restart 2 File name Log type Location Description EPO500‑Install‑MSI.log Installation %temp%\McAfeeLogs The primary ePolicy Orchestrator installation log. Contains installation details such as installer actions and installation failures. <ExtensionFileName> .cmd Temporary %temp%\McAfeeLogs \ePO500 ‑troubleshoot \OutputFiles Created by the ePolicy Orchestrator installer. Contains the command (sent to Remote‑Client) to check in extensions. If the installation succeeds, these files are deleted. MFS500‑CommonSetup.log Installation %temp%\McAfeeLogs Contains MFS installer details. Server logs Server log files contain details on server functionality and various administrator services used by ePolicy Orchestrator. File name Log type Location Description EpoApSvr.log Primary Application Server log file with details of repository actions such as: [InstallDir]\DB \Logs • Pull tasks • Checking in deployment packages to the repository • Deleting deployment packages from the repository This file is not present until after initial service startup. Errorlog .<CURRENT _DATETIME> Apache Eventparser .log Primary [InstallDir]\DB \Logs Contains ePolicy Orchestrator event parser services details, such as product event parsing success or failure. Jakarta _service _<DATE>.log Tomcat [InstallDir] \Server\logs Contains ePolicy Orchestrator Application Server service details. [InstallDir] \Apache2\logs Contains Apache service details. This file is not present until after the Apache service is started for the first time. * This file is not present until after the initial Tomcat service startup. Localhost _access_log .<DATE>.txt Tomcat [InstallDir] \Server\logs * Records all McAfee ePO server requests received from client systems. This file is not present until after the initial Tomcat service startup. 3 File name Log type Location Orion.log Primary [InstallDir] \Server\logs Description * Contains McAfee Foundation Services platform details and all extensions loaded by default. This file is not present until after the ePolicy Orchestrator Application Server service is started for the first time. Replication .log Server [InstallDir]\DB \Logs The McAfee ePO server replication log file. This file is only generated when all these are true: • There are distributed repositories. • A replication task has been configured. • A replication task has run. Server.log Primary [InstallDir]\DB \Logs Contains details related to these McAfee ePO server services: • Agent-server communications • McAfee ePO Server Agent Handler This file is not present until after initial service startup. Stderr.log Tomcat [InstallDir] \Server\logs * Contains any Standard Error output captured by the Tomcat service. This file is not present until after the initial Tomcat service startup. * 4 In cluster environments, the log file is located at [InstallDir]\Bin\Server\logs. Agent logs Agent log files contain actions triggered or taken by the McAfee® Agent. File name Log type Location Description <AgentGuid> _<Timestamp> _Server.xml Policy [InstallDir]\DB \DEBUG Contains details about policy updating issues. To enable this file: 1 Browse to this registry key: HKEY_LOCAL_MACHINE \Software\Network Associates\ePolicy Orchestrator\ 2 Create this DWORD with value 1: SaveAgentPolicy 3 Restart the McAfee ePolicy Orchestrator 5.1.0 Server (Apache) service. We recommend that you enable this file for the minimum time needed to capture the required information, because the resulting files grow rapidly. Agent_<system> .log Agent [Agent DATA Path]\DB Generated on client systems when the server deploys an agent to them. This file contains details related to: • Agent-server communication • Policy enforcement • Other agent tasks FrmInst _<system>.log Agent %temp% \McAfeeLogs Generated when the FrmInst.exe is used to install the McAfee Agent. This file contains: • Informational messages. • Progress messages. • Failure messages if installation fails. MCScript.log Agent Debug [Agent DATA Path]\DB Contains the results of script commands used during agent deployment and updating. To enable the DEBUG mode for this log, set this DWORD value on the client’s registry key: HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\TVD\SHARED COMPONENTS\FRAMEWORK \DWDEBUGSCRIPT=2 Delete this key when you've finished troubleshooting. Agent %temp% \McAfeeLogs Contains details about the MSI installation of the agent. PrdMgr_<SYSTEM> Agent .log [Agent DATA Path]\DB Contains details about agent communications with other McAfee products. Agent %temp% \McAfeeLogs Contains details of the updates to managed products on the client system. MfeAgent.MSI .<DATE>.log UpdaterUI _<system>.log 5 McAfee Agent error logs When the McAfee Agent traps errors, they are reported in Agent error logs. Agent error logs are named for their primary log counterpart. For example, when errors occur while performing client tasks, the MCScript_Error.log file is created. Error logs contain only details about errors. How log file size is maintained When a log file reaches it maximum size, backup is added before the file name extension and a new log file is created. For example, when Agent_<SYSTEM>.log reaches it maximum size, it is renamed Agent_<SYSTEM> _backup.log. If a backup log already exists, it is overwritten. Depending on how recently the backup was created, it might contain current entries. Examine both log files to make sure that you view all current entries. To change the log size, create the DWORD value LOGSIZE in the registry key HKEY_LOCAL_MACHINE \Software\Network Associates\ePolicy Orchestrator, then set the value data to the size wanted. For example, 20=20MB. Enable access logging Enable Apache access logging by modifying the httpd.conf file. Task 1 From [ePOInstallDir]\Apache2\conf, open the httpd.conf file. 2 Run this command to edit the file. CustomLog "|C:/PROGRA~1/McAfee/EPOLIC~1/Apache2/bin/rotatelogs.exe -l C:/PROGRA~1/McAfee/EPOLIC~1/Apache2/logs/accesslog.%Y-%m-%d 86400" common (Remove the number symbol (#) from this line) This file path applies to the default ePolicy Orchestrator installation. For custom installations, use the path specified in the httpd.conf file. 3 Save the file and restart your ePolicy Orchestrator services. Log levels for debugging The log level, a value ranging from 1 to 8, determines the scope and depth of the information in most log files. Log levels provide this information: 6 • Messages logged at each level include all messages at the current level and all lower logging levels. • The default value (7) is considered adequate for ordinary debugging. • Log level 8 produces output, including every SQL query, whether or not there is an error. Log level 8 also provides communication details for troubleshooting network and proxy server issues. Messages reported at each log level Message type Description Logging level e (error) User error message, translated 1 w (warning) User warning message, translated 2 I (information) User information message, translated 3 x (extended data) User extended information message, translated 4 E (error) Debug error message, English only 5 W (warning) Debug warning message, English only 6 I (information), or none Debug information message, English only 7 X (extended data) Debug extended information message, English only 8 Location of values controlling log levels and when they take effect You can't modify the logging levels of all logs. Log file name Log level value location Update duration Agent_<system>.log DWORD registry value at: HKEY_LOCAL_MACHINE \SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL 1 minute (approximate) Core‑install.log Not applicable Not applicable EpoApSvr.log DWORD registry value at: HKEY_LOCAL_MACHINE \SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL 1 minute (approximate) Errorlog.<CURRENT _DATETIME>.log Not applicable (File created by the Apache service) Not applicable Eventparser.log DWORD registry value at: HKEY_LOCAL_MACHINE \SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL 1 minute (approximate) FrmInst_<system> .log DWORD registry value at: HKEY_LOCAL_MACHINE \SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL At runtime Jakarta_Service _<DATE>.log [INSTALL DIR]\SERVER\CONF\ORION \LOG ‑CONFIG.XML Upon startup of ePolicy Orchestrator Application Server service. Localhost_access _log.<DATE>.txt [INSTALL DIR]\SERVER\CONF\ORION \LOG ‑CONFIG.XML Upon startup of ePolicy Orchestrator Server service. MCSCRIPT.log Windows platforms: dwDebugScript in HKEY _LOCAL_MACHINE\Software\Network Associates\TVD\Shared Components \Framework Immediately UNIX platforms: DebugScript in /etc/cma.d/ <ePO Agent's software ID>/config.xml Orion.log [INSTALL DIR]\SERVER\CONF\ORION \LOG Upon startup of ePolicy ‑CONFIG.XML. See MaxFileSize parameter value in Orchestrator Application the Rolling log file section. Also, see Priority Value in Server service. the Root section. PrdMgr_<SYSTEM>.log DWORD registry value at: HKEY_LOCAL_MACHINE \SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL 1 minute (approximate) 7 Log file name Log level value location Update duration Replication.log Not applicable Not applicable Server.log DWORD registry value at: HKEY_LOCAL_MACHINE \SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL Upon startup of ePolicy Orchestrator Server service. Stderr.log Not applicable Not applicable UpdaterUI_<SYSTEM> .log DWORD registry value at: HKEY_LOCAL_MACHINE \SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL 1 minute (approximate) Agent activity log The agent activity log (AGENT_<SYSTEM>.XML) contains copies of messages from the AGENT_<SYSTEM> .LOG, including translated messages, of types “e,” “w,” and “i,” (corresponding to logging levels 1 – 3). This file is not intended for debugging, but as information for users not likely to be troubleshooting. Messages of type “x” (logging level 4) can be included in the activity log. For information on setting levels, see Logging levels for debugging. Information in the activity log also appears in the Agent Monitor. If you enable remote access to the agent activity log file, you can also view the agent debug log files remotely by clicking View debug log (current or previous) in the header of the Show Agent Log display. For instructions, see Agent Activity Logs and Viewing the agent activity log in the McAfee ePolicy Orchestrator Product Guide or Help. Adjust the Orion log level The orion.log file is created by the ePolicy Orchestrator Application Server. You can configure the log level to show different types of Orion information in the log. Task 1 Using a text editor, open the Log‑Config.xml file, located at: C:\PROGRAMFILES\McAfee\ePolicyOrchestrator\Server\conf\orion 2 In the following line of text, replace “warn” with “info” or “debug”: <root><priority value ="warn"/><appender-ref ref="ROLLING" /><appender-ref ref="STDOUT/></root> Use debug only when troubleshooting for a short time. Setting the priority value to debug causes the old log files to be deleted frequently. 3 Save and close the file. Tomcat automatically adjusts the log level when the ePolicy Orchestrator Application Server services restart. 8 Troubleshoot product issues Use logs to troubleshoot product issues. Tasks • Troubleshoot policy updates on page 9 Troubleshoot incremental policy update issues from the server-side. • Interpret Windows error codes on page 9 To understand Windows error messages, identify the error code and look it up in the MSDN library. Troubleshoot policy updates Troubleshoot incremental policy update issues from the server-side. Task 1 Create the DWORD registry value SAVEAGENTPOLICY = 1 in: HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR 2 Restart all ePolicy Orchestrator services. The ePolicy Orchestrator server creates the file <AGENTGUID>_<TIMESTAMP>_SERVER.XML at <INSTALLATION PATH>\DB\DEBUG, which contains a copy of the content that the server deployed. Interpret Windows error codes To understand Windows error messages, identify the error code and look it up in the MSDN library. Task 1 Locate messages of type e or E in the log file. 2 Identify the time that the problem occurred, if known. 3 Note the Windows error code associated with the problem event. 4 Find the error code in the MSDN library at: http://msdn2.microsoft.com/en-us/library/ms681381.aspx For example, when tracking down an error message that includes code 1326, navigate to and click the code in the list of system error codes. The explanation of the code is displayed: 1326 ERROR_LOGON_FAILURE Logon failure: unknown user name or bad password You can also use the ERRLOOK.EXE utility to determine the cause of these error codes. This utility is distributed with Microsoft Visual Studio. 9 Copyright © 2013 McAfee, Inc. Do not copy without permission. McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others. 10 0-00
