Epo 450 Logfile Reference en-us

McAfee ePolicy Orchestrator 4.5Log FilesReference Guide

COPYRIGHT

Copyright © 2009 McAfee, Inc. All Rights Reserved.

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any formor by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARK ATTRIBUTIONS

AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCEEXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN,WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red inconnection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole propertyof their respective owners.

LICENSE INFORMATION

License Agreement

NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED,WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICHTYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTSTHAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET,A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOUDO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURNTHE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.

License Attributions

Refer to the product Release Notes.

McAfee ePolicy Orchestrator 4.5 Log Files Reference Guide2

ContentsMcAfee ePolicy Orchestrator 4.5 Log Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

Installer logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Server logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Agent logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Rogue System Detection logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

About log file path variables, file size and backup logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Logging levels for debugging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Adjusting the Tomcat log level. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Troubleshooting policy updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Interpreting Windows error codes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Agent activity log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

3McAfee ePolicy Orchestrator 4.5 Log Files Reference Guide

McAfee ePolicy Orchestrator 4.5 Log FilesePolicy Orchestrator generates a record of its activities and stores the information in many logfiles. The log files detailed in this guide represent a subset of all ePO log files, with particularattention to those most commonly used when managing and troubleshooting product issues.They are separated into three categories:

• Installer logs — Include details about installation path, user credentials, database used, andcommunication ports configured.

• Server logs — Include details about server functionality, client event history, and administratorservices.

• Agent logs — Include details about agent installation, wake-up calls, updating, and policyenforcement.

• Rogue System Detection logs — Include details about Rogue System Sensor install anduninstall, and Sensor actions.

Contents

Installer logs

Server logs

Agent logs

Rogue System Detection logs

About log file path variables, file size and backup logs

Logging levels for debugging

Adjusting the Tomcat log level

Troubleshooting policy updates

Interpreting Windows error codes

Agent activity log

Installer logsInstaller log files contain details about the ePolicy Orchestrator installation process including:

• Actions taken by specific components

• Administrator services used by the server


• Success and failure of critical processes

Table 1: Installer logsLocationDescriptionLog file name

%temp%\McAfeeLogs\EPO450-Troubleshoot\OrionFramework

Generated during ePolicy Orchestrator installation.This file contains details such as:

Core-install.log

• Creation of server database tables

• Installation of server components

%temp%\McAfeeLogsGenerated when the installer fails to check in any ofthe following package types:

EPO450-Checkin-Failure.log

• Extensions

• Plug-ins

• Deployment packages

• Agent packages

%temp%\McAfeeLogsContains details about ePolicy Orchestrator 4.5 MSIinstaller including:

EPO450-CommonSetup.log

• CustomAction logging

• SQL, DTS (Microsoft Data TransformationServices), and service related calls

• Registering and unregistering DLLs

• Files and folders marked for deletion at reboot

%temp%\McAfeeLogsThe primary ePO installation log. This file logs alldetails about the installation including:

EPO450-Install-MSI.log

• Installer actions

• Installation failures

%temp%\McAfeeLogsGenerated when installation of a licensed version ofePolicy Orchestrator fails. Use this log file to check

Licensing.log

the details of the license and any issues with theCommon License Application.

%temp%\McAfeeLogsContains details about the installation of MicrosoftSQL 2005 Backward Compatibility. This file is

SQL2K5bCINST.LOG

generated only when SQL 2005 BackwardCompatibility is optionally installed by the ePOinstaller.

Server logsServer log files contain details on server functionality and various administrator services usedby ePolicy Orchestrator 4.5.

Table 2: Server logsLocationDescriptionLog file name

<InstallDir>\DB\DEBUGContains details about policy updatingissues. To enable this file, create the

<AgentGuid>_<Timestamp>_Server.xml

following registry key:HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\EPOLICYORCHESTRATOR. Then, specify thefollowing setting:

SAVEAGENTPOLICY(REG_DWORD)=1

McAfee ePolicy Orchestrator 4.5 Log FilesServer logs


LocationDescriptionLog file name

%temp%\McAfeeLogsContains details about databasemigration generated during an upgradefrom an earlier version of the software.

Dbmigrate.log

<InstallDir>\DB\LogsContains details related to repositoryactions such as:

EpoApSvr.log

• Pull tasks

• Checking in deployment packagestothe repository

• Deleting deployment packages fromthe repository

<InstallDir>\Apache2\logsContains details related to the Apacheservice. This file is not present until after

Errorlog.<CURRENT_DATETIME>

the Apache service is started for the firsttime.

<InstallDir>\DB\LogsContains details about the ePolicyOrchestrator event parser services, such

Eventparser.log

as product event parsing success orfailure.

<InstallDir>\Server\logsContains details about the ePOApplication Server service. This file is not

Jakarta_service_<DATE>.log

present until after the Tomcat service isstarted for the first time.

<InstallDir>\Server\logsRecords all requests from client systemsreceived by the ePO server. This file is

Localhost_access_log.<DATE>.txt

not present until after the Tomcatservice is started for the first time.

<InstallDir>\Server\logsContains details on server functionalitiesand all extensions loaded by default. This

Orion.log

file is not present until after the ePOApplication Server service is started forthe first time.

<InstallDir>\DB\LogsThe ePO server replication log file. Thisfile is generated when all of the followingare true:

Replication.log

• There are distributed repositories.

• A replication task has beenconfigured.

• A replication task has run.

<InstallDir>\DB\LogsContains details related to agent-servercommunications.

NOTE: The Siteinfo.ini file is updatedwhen server port numbers are changed.

Server.log

This log file contains details about theversion of Siteinfo.ini file and changedport numbers.

<InstallDir>\Server\logsContains any Standard Error output thatthe Tomcat service captures. This file is

Stderr.log

not present until after the Tomcatservice is started the first time.

McAfee ePolicy Orchestrator 4.5 Log FilesServer logs


Agent logsAgent log files contain actions triggered or taken by the McAfee Agent.

Table 3: Agent logsLocationDescriptionLog file name

<Agent DATA Path>\DBGenerated on client systems when the server deploysan agent to them. This file contains details relatedto:

Agent_<system>.log

• Agent-to-server communication

• Policy enforcement

• Other agent tasks

%temp%\McAfeeLogsGenerated when the FrmInst.exe is used to installthe McAfee Agent. This file contains:

FrmInst_<system>.log

• Informational messages.

• Progress messages.

• Failure messages if installation fails.

<Agent DATA Path>\DBContains the results of script commands used duringagent deployment and updating. To enable the

MCScript.log

DEBUG mode for this log, set the following DWORDvalue on the client’s registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\NETWORKASSOCIATES\TVD\SHAREDCOMPONENTS\FRAMEWORK\DWDEBUGSCRIPT=2

NOTE: McAfee recommends that you delete this keywhen you are finished troubleshooting.

%temp%\McAfeeLogsContains details about the MSI installation of theagent.

MfeAgent.MSI.<DATE>.log

<Agent DATA Path>\DBContains details about agent communications withother McAfee products.

PrdMgr_<SYSTEM>.log

%temp%\McAfeeLogsContains details of the updates to managed productson the client system.

UpdaterUI_<system>.log

Agent error logs

When the agent traps errors, they are reported in Agent error logs. Agent error logs are namedfor their primary log counterpart. For example, when errors occur while performing client tasks,the MCScript_Error.log file is created. Error logs contain only details about errors.

Rogue System Detection logsRogue System Detection log files contain details about the installation of and actions performedby the Rogue System Sensor. These logs are located on the system where the sensor is deployed.

Table 4: Rogue System Detection logsLocationDescriptionLog file name

%temp%\McAfeeLogsGenerated on client systems when the server deploysa Rogue System Sensor to a client system. This filecontains details related to the sensor install.

RSDSEN450-Install-MSI.log

McAfee ePolicy Orchestrator 4.5 Log FilesAgent logs


LocationDescriptionLog file name

%temp%\McAfeeLogsGenerated on client systems when the server removesa Rogue System Sensor from a client system. Thisfile contains details related to sensor uninstall.

RSDSEN450-Uninstall-MSI.log

Program Files\McAfee\RSDSensor

Contains details about all actions performed by thesensor.

RSDSensor_out.log

Rogue System Sensor log file configuration

The Rogue System Sensor log file (RSDSensor_out.log) can be configured to log specific details.Use the RSSensor_log.cfg to configure the Rogue System RSDSensor_out.log with the followingvalues:

• DEBUG — The most detail available. This setting is useful when very detailed information isnecessary for advanced troubleshooting.

• INFO — Provides a high level of detail. This setting is useful when working with productsupport to resolve specific issues.

• WARN — Provides a moderate level of detail appropriate for most troubleshooting scenarios.

• ERROR — Provides the lowest level of logging.Use the following table to set log properties to output the details you need.

Table 5: RSSensor_log.cfg properties and valuesDefault valueDescriptionProperty

WARNThis is the root logger. All loggers that do not havea specifically assigned value use the value set here.

log4cplus.rootLogger

WARNThis is the logger for network traffic visible to thesensor.

log4cplus.logger.RSDSensor.NetListner

WARNThis is the logger for the host resolver which thesensor uses to determine operating systeminformation.

log4cplus.logger.RSDSensor.Resolver

$(SENSOR_DIR)\RSDSensor_out.log

NOTE: This value should not bemodified.

This value defines the name of the log file.log4cplus.appender.SENSORLOG.File

5MBThis value defines the size of the log file. When thelog reaches the specified size limit a new file is

log4cplus.appender.SENSORLOG.MaxFileSize

created that is appended with a numeric value. Forexample, RSDSensor_out.log.1. Numbers areappended chronologically, where the highest numberdenotes the oldest log. When the maximum numberof logs is reached, the oldest is deleted.

5This value specifies how many log files should beretained.

log4cplus.appender.SENSORLOG.MaxBackupIndex

McAfee ePolicy Orchestrator 4.5 Log FilesRogue System Detection logs


About log file path variables, file size and backuplogs

The locations of log files depend on how and where ePolicy Orchestrator and the agent isinstalled in your environment. The following table defines the path variables used to describelog file locations in this document.

Table 6: Path variablesDescriptionVariable

To determine the actual location of the agent data files, view this registry keyHKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\TVD\SHARED

<Agent DATA Path>

COMPONENTS\FRAMEWORK\DATA PATH. For more information, see “Agentinstallation directory” in the ePolicy Orchestrator 4.5 Product Guide or Help.

This is the Temp folder of the currently logged on user. To access this folder, selectStart | Run, then type%temp% in the Open text box, and click OK.

%temp%

The default location of the ePolicy Orchestrator 4.5 server software is

C:\PROGRAM FILES\MCAFEE\EPOLICY ORCHESTRATOR

<InstallDir>

Log file size and BACKUP logs

When a log file reaches it maximum size, BACKUP is added before the file name extension anda new log file is created. For example, when Agent_<SYSTEM>.log reaches it maximum size,it is renamed Agent_<SYSTEM>_BACKUP.log. If a BACKUP log already exists, it is overwritten.Depending on how recently the BACKUP was created, it might contain current entries. Examineboth log files to to make sure you view all current entries.

The default log size is 1 MB. To change the size, create the DWORD value LOGSIZE in theregistry key HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\EPOLICYORCHESTRATOR, then set the value data to the size desired. For example, 20=20MB.

Logging levels for debuggingThis section provides information about setting the logging levels for logs in general. Forinformation about adjusting the logging of the Tomcat servlet container, see Adjusting theTomcat log level.

The scope and depth of the information in most log files are determined by the log level, avalue ranging from 1 to 8.

• Messages logged at each level include all messages at the current level and all lower logginglevels.

• The default value (7) is generally considered adequate for ordinary debugging.

• Log level 8 produces output, including every SQL query, whether or not there is an error.Log level 8 also provides communication details for troubleshooting network and proxy serverissues.

McAfee ePolicy Orchestrator 4.5 Log FilesAbout log file path variables, file size and backup logs


The following table describes each message type and logging level.

Table 7: Messages reported at each log levelLogginglevel

DescriptionMessage type

1User error message, translatede (error)

2User warning message, translatedw (warning)

3User information message, translatedI (information)

4User extended information message, translatedx (extended data)

5Debug error message, English onlyE (error)

6Debug warning message, English onlyW (warning)

7Debug information message, English onlyI (information), or none

8Debug extended information message, English onlyX (extended data)

The following table lists the locations of the values that control logging levels, which can bemodified.

NOTE: You cannot modify the logging levels of all logs.

Table 8: Location of values controlling log levels and when they take effectSetting change takeseffect...

Location of controlling log level valueLog file

Within one minute.DWORD registry value at:HKEY_LOCAL_MACHINE\SOFTWARE\NETWORKASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL

Agent_<system>.log

Cannot changeCore-install.log


EpoApSvr.log

Immediately upon savingchanges.

Debug Output value at:

%temp%\MCAFEELOGS\EPO450-DEBUG.INI

EPO450-CommonSetup.log

Immediately upon savingchanges.

Debug Output value at:

%temp%\MCAFEELOGS\EPO450-DEBUG.INI

EPO450-Install-MSI.log

Not applicable. This file is created by the Apacheservice.

Errorlog.<CURRENT_DATETIME>.log


Eventparser.log

At run-time.DWORD registry value at:HKEY_LOCAL_MACHINE\SOFTWARE\NETWORKASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL

FrmInst_<system>.log

Upon startup of McAfee ePolicyOrchestrator 4.5.0 ApplicationServer service.

For more information, see "Adjusting the Tomcat loglevel."

Jakarta_Service_<DATE>.log

Cannot change.Licensing.log


For more information, see "Adjusting the Tomcat loglevel."

Localhost_access_log.<DATE>.txt

McAfee ePolicy Orchestrator 4.5 Log FilesLogging levels for debugging


Setting change takeseffect...

Location of controlling log level valueLog file

ImmediatelyWindows platforms: dwDebugScript inHKEY_LOCAL_MACHINE\Software\NetworkAssociates\TVD\Shared Components\Framework

UNIX platforms: DebugScript in /etc/cma.d/<ePOAgent's software ID>/config.xml

MCSCRIPT.log


<INSTALL DIR>\SERVER\CONF\ORION\LOG-CONFIG.XML. See “MaxFileSize” parametervalue in “Rolling log file” section. See also PriorityValue in <root> section.

Orion.log


PrdMgr_<SYSTEM>.log

Within one minute.Cannot change.Replication.log

Upon startup of McAfee ePolicyOrchestrator 4.5.0 Serverservice.

DWORD registry value at:HKEY_LOCAL_MACHINE\SOFTWARE\NETWORKASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL

Server.log

Cannot change.SQL2K5bCINST.log

Cannot change.Stderr.log


UpdaterUI_<SYSTEM>.log

Adjusting the Tomcat log levelThe file name of the Tomcat log is ORION.LOG. The Tomcat log is created by the McAfee ePolicyOrchestrator 4.5.0 Application Server.

To adjust its logging level, do the following.

Task

1 Using a text editor, open the Log-Config.xml file, located at:C:\PROGRAMFILES>\McAfee\ePolicyOrchestrator\Server\conf\orion

2 In the following line of text, replace “warn” with “info” or “debug”:<root><priority value ="warn"/><appender-ref ref="ROLLING" /><appender-ref ref="STDOUT/></root>

3 Save and close the file.Tomcat automatically adjusts the log level when theMcAfee ePolicy Orchestrator 4.5.0Application Server services is restarted.

Troubleshooting policy updatesTo troubleshoot incremental policy update issues from the server-side, do the following.

McAfee ePolicy Orchestrator 4.5 Log FilesAdjusting the Tomcat log level


Task

1 Create the DWORD registry value SAVEAGENTPOLICY = 1 in:HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR

2 Restart all ePolicy Orchestrator services.The ePolicy Orchestrator server creates the file<AGENTGUID>_<TIMESTAMP>_SERVER.XML at <INSTALLATION PATH>\DB\DEBUG,which contains a copy of the content that the server deployed.

Interpreting Windows error codesTo understand Windows error messages, identify the error code and look it up in the MSDNlibrary.

1 Locate messages of type e or E in the log file.

2 Identify the time that the problem occurred, if known.

3 Note the Windows error code associated with the problem event.

4 Find the error code in the MSDN library at:http://msdn2.microsoft.com/en-us/library/ms681381.aspxFor example, when tracking down an error message that includes code 1326, navigate toand click the code in the list of system error codes. The explanation of the code is displayed:1326 ERROR_LOGON_FAILURE Logon failure: unknown user name or bad password

NOTE: You can also use the ERRLOOK.EXE utility to determine the cause of these errorcodes. This utility is distributed with Microsoft Visual Studio.

Agent activity logThe agent activity log (AGENT_<SYSTEM>.XML) contains copies of messages from theAGENT_<SYSTEM>.LOG, including translated messages, of types “e,” “w,” and “i,” (correspondingto logging levels 1 – 3). This file is not intended for debugging, but as information for users notlikely to be troubleshooting. Messages of type “x” (logging level 4) can be included in the activitylog. For information on setting levels, see Logging levels for debugging.

Information in the activity log also appears in the Agent Monitor.

If you enable remote access to the agent activity log file, you can also view the agent debuglog files remotely by clicking View debug log (current or previous) in the header of theShow Agent Log display. For instructions, see Agent Activity Logs and Viewing the agentactivity log in the ePolicy Orchestrator 4.5 Product Guide or Help.

McAfee ePolicy Orchestrator 4.5 Log FilesInterpreting Windows error codes


http://msdn2.microsoft.com/en-us/library/ms681381.aspx

Documents

Epo 450 Logfile Reference en-us