McAfee ePolicy Orchestrator 4.

5
Log Files
Reference Guide
COPYRIGHT
Copyright © 2009 McAfee, Inc. All Rights Reserved.
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form
or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
TRADEMARK ATTRIBUTIONS
AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE
EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN,
WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in
connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property
of their respective owners.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED,
WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH
TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS
THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET,
A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU
DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN
THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.
License Attributions
Refer to the product Release Notes.

2 McAfee ePolicy Orchestrator 4.5 Log Files Reference Guide

Contents
McAfee ePolicy Orchestrator 4.5 Log Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Installer logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Server logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Agent logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Rogue System Detection logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

About log file path variables, file size and backup logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Logging levels for debugging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Adjusting the Tomcat log level. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Troubleshooting policy updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Interpreting Windows error codes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Agent activity log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

McAfee ePolicy Orchestrator 4.5 Log Files Reference Guide 3

McAfee ePolicy Orchestrator 4.5 Log Files
ePolicy Orchestrator generates a record of its activities and stores the information in many log
files. The log files detailed in this guide represent a subset of all ePO log files, with particular
attention to those most commonly used when managing and troubleshooting product issues.
They are separated into three categories:
• Installer logs — Include details about installation path, user credentials, database used, and
communication ports configured.
• Server logs — Include details about server functionality, client event history, and administrator
services.
• Agent logs — Include details about agent installation, wake-up calls, updating, and policy
enforcement.
• Rogue System Detection logs — Include details about Rogue System Sensor install and
uninstall, and Sensor actions.

Contents
Installer logs
Server logs
Agent logs
Rogue System Detection logs
About log file path variables, file size and backup logs
Logging levels for debugging
Adjusting the Tomcat log level
Troubleshooting policy updates
Interpreting Windows error codes
Agent activity log

Installer logs
Installer log files contain details about the ePolicy Orchestrator installation process including:
• Actions taken by specific components
• Administrator services used by the server

4 McAfee ePolicy Orchestrator 4.5 Log Files Reference Guide

 McAfee ePolicy Orchestrator 4.5 Log Files
Server logs

• Success and failure of critical processes

Table 1: Installer logs
Log file name Description Location

Core-install.log Generated during ePolicy Orchestrator installation. %temp%\McAfeeLogs\

This file contains details such as: EPO450-Troubleshoot\Orion
Framework
• Creation of server database tables
• Installation of server components

EPO450-Checkin-Failure.log Generated when the installer fails to check in any of %temp%\McAfeeLogs

the following package types:
• Extensions
• Plug-ins
• Deployment packages
• Agent packages

EPO450-CommonSetup.log Contains details about ePolicy Orchestrator 4.5 MSI %temp%\McAfeeLogs

installer including:
• CustomAction logging
• SQL, DTS (Microsoft Data Transformation
Services), and service related calls
• Registering and unregistering DLLs
• Files and folders marked for deletion at reboot

EPO450-Install-MSI.log The primary ePO installation log. This file logs all %temp%\McAfeeLogs
details about the installation including:
• Installer actions
• Installation failures

Licensing.log Generated when installation of a licensed version of %temp%\McAfeeLogs

ePolicy Orchestrator fails. Use this log file to check
the details of the license and any issues with the
Common License Application.

SQL2K5bCINST.LOG Contains details about the installation of Microsoft %temp%\McAfeeLogs

SQL 2005 Backward Compatibility. This file is
generated only when SQL 2005 Backward
Compatibility is optionally installed by the ePO
installer.

Server logs
Server log files contain details on server functionality and various administrator services used
by ePolicy Orchestrator 4.5.
Table 2: Server logs
Log file name Description Location

<AgentGuid>_<Timestamp>_Server.xml Contains details about policy updating <InstallDir>\DB\DEBUG

issues. To enable this file, create the
following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\
NETWORK ASSOCIATES\EPOLICY
ORCHESTRATOR. Then, specify the
following setting:
SAVEAGENTPOLICY(REG_DWORD)=1

McAfee ePolicy Orchestrator 4.5 Log Files Reference Guide 5

 McAfee ePolicy Orchestrator 4.5 Log Files
Server logs

Log file name Description Location

Dbmigrate.log Contains details about database %temp%\McAfeeLogs

migration generated during an upgrade
from an earlier version of the software.

EpoApSvr.log Contains details related to repository <InstallDir>\DB\Logs

actions such as:
• Pull tasks
• Checking in deployment packagesto
the repository
• Deleting deployment packages from
the repository

Errorlog.<CURRENT_DATETIME> Contains details related to the Apache <InstallDir>\Apache2\logs

service. This file is not present until after
the Apache service is started for the first
time.

Eventparser.log Contains details about the ePolicy <InstallDir>\DB\Logs

Orchestrator event parser services, such
as product event parsing success or
failure.

Jakarta_service_<DATE>.log Contains details about the ePO <InstallDir>\Server\logs

Application Server service. This file is not
present until after the Tomcat service is
started for the first time.

Localhost_access_log.<DATE>.txt Records all requests from client systems <InstallDir>\Server\logs

received by the ePO server. This file is
not present until after the Tomcat
service is started for the first time.

Orion.log Contains details on server functionalities <InstallDir>\Server\logs

and all extensions loaded by default. This
file is not present until after the ePO
Application Server service is started for
the first time.

Replication.log The ePO server replication log file. This <InstallDir>\DB\Logs

file is generated when all of the following
are true:
• There are distributed repositories.
• A replication task has been
configured.
• A replication task has run.

Server.log Contains details related to agent-server <InstallDir>\DB\Logs

communications.
NOTE: The Siteinfo.ini file is updated
when server port numbers are changed.
This log file contains details about the
version of Siteinfo.ini file and changed
port numbers.

Stderr.log Contains any Standard Error output that <InstallDir>\Server\logs

the Tomcat service captures. This file is
not present until after the Tomcat
service is started the first time.

6 McAfee ePolicy Orchestrator 4.5 Log Files Reference Guide

 McAfee ePolicy Orchestrator 4.5 Log Files
Agent logs

Agent logs
Agent log files contain actions triggered or taken by the McAfee Agent.
Table 3: Agent logs
Log file name Description Location

Agent_<system>.log
Generated on client systems when the server deploys <Agent DATA Path>\DB
an agent to them. This file contains details related
to:
• Agent-to-server communication
• Policy enforcement
• Other agent tasks

FrmInst_<system>.log Generated when the FrmInst.exe is used to install %temp%\McAfeeLogs

the McAfee Agent. This file contains:
• Informational messages.
• Progress messages.
• Failure messages if installation fails.

MCScript.log Contains the results of script commands used during <Agent DATA Path>\DB
agent deployment and updating. To enable the
DEBUG mode for this log, set the following DWORD
value on the client’s registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK
ASSOCIATES\TVD\SHARED
COMPONENTS\FRAMEWORK\DWDEBUGSCRIPT=2
NOTE: McAfee recommends that you delete this key
when you are finished troubleshooting.

MfeAgent.MSI.<DATE>.log Contains details about the MSI installation of the %temp%\McAfeeLogs

agent.

PrdMgr_<SYSTEM>.log Contains details about agent communications with <Agent DATA Path>\DB
other McAfee products.

UpdaterUI_<system>.log Contains details of the updates to managed products %temp%\McAfeeLogs

on the client system.

Agent error logs

When the agent traps errors, they are reported in Agent error logs. Agent error logs are named
for their primary log counterpart. For example, when errors occur while performing client tasks,
the MCScript_Error.log file is created. Error logs contain only details about errors.

Rogue System Detection logs

Rogue System Detection log files contain details about the installation of and actions performed
by the Rogue System Sensor. These logs are located on the system where the sensor is deployed.
Table 4: Rogue System Detection logs
Log file name Description Location

RSDSEN450-Install-MSI.log Generated on client systems when the server deploys %temp%\McAfeeLogs

a Rogue System Sensor to a client system. This file
contains details related to the sensor install.

McAfee ePolicy Orchestrator 4.5 Log Files Reference Guide 7

 McAfee ePolicy Orchestrator 4.5 Log Files
Rogue System Detection logs

Log file name Description Location

RSDSEN450-Uninstall-MSI.log Generated on client systems when the server removes %temp%\McAfeeLogs

a Rogue System Sensor from a client system. This
file contains details related to sensor uninstall.

RSDSensor_out.log Contains details about all actions performed by the Program Files\McAfee\RSD
sensor. Sensor

Rogue System Sensor log file configuration

The Rogue System Sensor log file (RSDSensor_out.log) can be configured to log specific details.
Use the RSSensor_log.cfg to configure the Rogue System RSDSensor_out.log with the following
values:
• DEBUG — The most detail available. This setting is useful when very detailed information is
necessary for advanced troubleshooting.
• INFO — Provides a high level of detail. This setting is useful when working with product
support to resolve specific issues.
• WARN — Provides a moderate level of detail appropriate for most troubleshooting scenarios.
• ERROR — Provides the lowest level of logging.
Use the following table to set log properties to output the details you need.
Table 5: RSSensor_log.cfg properties and values
Property Description Default value

log4cplus.rootLogger
log4cplus.logger.
RSDSensor.NetListner
log4cplus.logger.
RSDSensor.Resolver
log4cplus.appender.
SENSORLOG.File
This is the root logger. All loggers that do not have WARN
a specifically assigned value use the value set here.
This is the logger for network traffic visible to the WARN
sensor.
This is the logger for the host resolver which the WARN
sensor uses to determine operating system
information.
This value defines the name of the log file. $(SENSOR_DIR)\RSDSensor_out.log
NOTE: This value should not be
modified.

log4cplus.appender. This value defines the size of the log file. When the 5MB
SENSORLOG.MaxFileSize log reaches the specified size limit a new file is
created that is appended with a numeric value. For
example, RSDSensor_out.log.1. Numbers are
appended chronologically, where the highest number
denotes the oldest log. When the maximum number
of logs is reached, the oldest is deleted.
log4cplus.appender.SENSORLOG. This value specifies how many log files should be 5
MaxBackupIndex retained.

8 McAfee ePolicy Orchestrator 4.5 Log Files Reference Guide

 McAfee ePolicy Orchestrator 4.5 Log Files
About log file path variables, file size and backup logs

About log file path variables, file size and backup

logs
The locations of log files depend on how and where ePolicy Orchestrator and the agent is
installed in your environment. The following table defines the path variables used to describe
log file locations in this document.
Table 6: Path variables
Variable Description

<Agent DATA Path> To determine the actual location of the agent data files, view this registry key
HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\TVD\SHARED
COMPONENTS\FRAMEWORK\DATA PATH. For more information, see “Agent
installation directory” in the ePolicy Orchestrator 4.5 Product Guide or Help.

%temp% This is the Temp folder of the currently logged on user. To access this folder, select
Start | Run, then type %temp% in the Open text box, and click OK.

<InstallDir> The default location of the ePolicy Orchestrator 4.5 server software is
C:\PROGRAM FILES\MCAFEE\EPOLICY ORCHESTRATOR

Log file size and BACKUP logs

When a log file reaches it maximum size, BACKUP is added before the file name extension and
a new log file is created. For example, when Agent_<SYSTEM>.log reaches it maximum size,
it is renamed Agent_<SYSTEM>_BACKUP.log. If a BACKUP log already exists, it is overwritten.
Depending on how recently the BACKUP was created, it might contain current entries. Examine
both log files to to make sure you view all current entries.
The default log size is 1 MB. To change the size, create the DWORD value LOGSIZE in the
registry key HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\EPOLICY
ORCHESTRATOR, then set the value data to the size desired. For example, 20=20MB.

Logging levels for debugging

This section provides information about setting the logging levels for logs in general. For
information about adjusting the logging of the Tomcat servlet container, see Adjusting the
Tomcat log level.
The scope and depth of the information in most log files are determined by the log level, a
value ranging from 1 to 8.
• Messages logged at each level include all messages at the current level and all lower logging
levels.
• The default value (7) is generally considered adequate for ordinary debugging.
• Log level 8 produces output, including every SQL query, whether or not there is an error.
Log level 8 also provides communication details for troubleshooting network and proxy server
issues.

McAfee ePolicy Orchestrator 4.5 Log Files Reference Guide 9

 McAfee ePolicy Orchestrator 4.5 Log Files
Logging levels for debugging

The following table describes each message type and logging level.
Table 7: Messages reported at each log level
Message type Description Logging
level

e (error) User error message, translated 1

w (warning) User warning message, translated 2

I (information) User information message, translated 3

x (extended data) User extended information message, translated 4

E (error) Debug error message, English only 5

W (warning) Debug warning message, English only 6

I (information), or none Debug information message, English only 7

X (extended data) Debug extended information message, English only 8

The following table lists the locations of the values that control logging levels, which can be
modified.
NOTE: You cannot modify the logging levels of all logs.
Table 8: Location of values controlling log levels and when they take effect
Log file Location of controlling log level value Setting change takes
effect...

Agent_<system>.log DWORD registry value at: Within one minute.

HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK
ASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL

Core-install.log Cannot change

EpoApSvr.log DWORD registry value at: Within one minute.

HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK
ASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL

EPO450-CommonSetup.log Debug Output value at: Immediately upon saving

changes.
%temp%\MCAFEELOGS\EPO450-DEBUG.INI

EPO450-Install-MSI.log Debug Output value at: Immediately upon saving

changes.
%temp%\MCAFEELOGS\EPO450-DEBUG.INI

Errorlog.<CURRENT_DATETIME>.log Not applicable. This file is created by the Apache

service.

Eventparser.log DWORD registry value at: Within one minute.

HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK
ASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL

FrmInst_<system>.log DWORD registry value at: At run-time.

HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK
ASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL

Jakarta_Service_<DATE>.log For more information, see "Adjusting the Tomcat log Upon startup of McAfee ePolicy
level." Orchestrator 4.5.0 Application
Server service.

Licensing.log Cannot change.

Localhost_access_log.<DATE>.txt For more information, see "Adjusting the Tomcat log Upon startup of McAfee ePolicy
level." Orchestrator 4.5.0 Application
Server service.

10 McAfee ePolicy Orchestrator 4.5 Log Files Reference Guide

 McAfee ePolicy Orchestrator 4.5 Log Files
Adjusting the Tomcat log level

Log file Location of controlling log level value Setting change takes
effect...

MCSCRIPT.log Windows platforms: dwDebugScript in Immediately

HKEY_LOCAL_MACHINE\Software\Network
Associates\TVD\Shared Components\Framework
UNIX platforms: DebugScript in /etc/cma.d/<ePO
Agent's software ID>/config.xml

Orion.log <INSTALL DIR>\SERVER\CONF\ORION Upon startup of McAfee ePolicy

\LOG-CONFIG.XML. See “MaxFileSize” parameter Orchestrator 4.5.0 Application
value in “Rolling log file” section. See also Priority Server service.
Value in <root> section.

PrdMgr_<SYSTEM>.log DWORD registry value at: Within one minute.

HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK
ASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL

Replication.log Cannot change. Within one minute.

Server.log DWORD registry value at: Upon startup of McAfee ePolicy

HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK Orchestrator 4.5.0 Server
ASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL service.

SQL2K5bCINST.log Cannot change.

Stderr.log Cannot change.

UpdaterUI_<SYSTEM>.log DWORD registry value at: Within one minute.

HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK
ASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL

Adjusting the Tomcat log level

The file name of the Tomcat log is ORION.LOG. The Tomcat log is created by the McAfee ePolicy
Orchestrator 4.5.0 Application Server.
To adjust its logging level, do the following.

Task
1 Using a text editor, open the Log-Config.xml file, located at:
C:\PROGRAMFILES>\McAfee\ePolicyOrchestrator\Server\conf\orion
2 In the following line of text, replace “warn” with “info” or “debug”:
<root><priority value ="warn"/><appender-ref ref="ROLLING" /><appender-ref ref="STDOUT/></root>
3 Save and close the file.
Tomcat automatically adjusts the log level when the McAfee ePolicy Orchestrator 4.5.0
Application Server services is restarted.

Troubleshooting policy updates

To troubleshoot incremental policy update issues from the server-side, do the following.

McAfee ePolicy Orchestrator 4.5 Log Files Reference Guide 11

 McAfee ePolicy Orchestrator 4.5 Log Files
Interpreting Windows error codes

Task
1 Create the DWORD registry value SAVEAGENTPOLICY = 1 in:
HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR
2 Restart all ePolicy Orchestrator services.
The ePolicy Orchestrator server creates the file
<AGENTGUID>_<TIMESTAMP>_SERVER.XML at <INSTALLATION PATH>\DB\DEBUG,
which contains a copy of the content that the server deployed.

Interpreting Windows error codes

To understand Windows error messages, identify the error code and look it up in the MSDN
library.
1 Locate messages of type e or E in the log file.
2 Identify the time that the problem occurred, if known.
3 Note the Windows error code associated with the problem event.
4 Find the error code in the MSDN library at:
http://msdn2.microsoft.com/en-us/library/ms681381.aspx
For example, when tracking down an error message that includes code 1326, navigate to
and click the code in the list of system error codes. The explanation of the code is displayed:
1326 ERROR_LOGON_FAILURE Logon failure: unknown user name or bad password

NOTE: You can also use the ERRLOOK.EXE utility to determine the cause of these error
codes. This utility is distributed with Microsoft Visual Studio.

Agent activity log

The agent activity log (AGENT_<SYSTEM>.XML) contains copies of messages from the
AGENT_<SYSTEM>.LOG, including translated messages, of types “e,” “w,” and “i,” (corresponding
to logging levels 1 – 3). This file is not intended for debugging, but as information for users not
likely to be troubleshooting. Messages of type “x” (logging level 4) can be included in the activity
log. For information on setting levels, see Logging levels for debugging.
Information in the activity log also appears in the Agent Monitor.
If you enable remote access to the agent activity log file, you can also view the agent debug
log files remotely by clicking View debug log (current or previous) in the header of the
Show Agent Log display. For instructions, see Agent Activity Logs and Viewing the agent
activity log in the ePolicy Orchestrator 4.5 Product Guide or Help.

12 McAfee ePolicy Orchestrator 4.5 Log Files Reference Guide