Using Log Files for Troubleshooting in ePolicy Orchestrator 4.

0 Guide

COPYRIGHT Copyright 2007 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies. TRADEMARK ATTRIBUTIONS AVERT, EPO, EPOLICY ORCHESTRATOR, FLASHBOX, FOUNDSTONE, GROUPSHIELD, HERCULES, INTRUSHIELD, INTRUSION INTELLIGENCE, LINUXSHIELD, MANAGED MAIL PROTECTION, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, MCAFEE.COM, NETSHIELD, PORTALSHIELD, PREVENTSYS, PROTECTION-IN-DEPTH STRATEGY, PROTECTIONPILOT, SECURE MESSAGING SERVICE, SECURITYALLIANCE, SITEADVISOR, THREATSCAN, TOTAL PROTECTION, VIREX, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. License Attributions Refer to the product Release Notes.

Using Log Files for Troubleshooting in ePolicy Orchestrator 4.0

Contents
Troubleshooting with Log Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Log file names and locations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Typical issues addressed by logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Logging levels for debugging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 When setting changes take effect. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Adjusting the Tomcat log level. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Logging agent updating and deployment scripts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Troubleshooting policy updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Interpreting Windows error codes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Agent activity log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Use of the VirusScan update log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Using Log Files for Troubleshooting in ePolicy Orchestrator 4.0

Troubleshooting with Log Files

ePolicy Orchestrator includes many log files that you can use for troubleshooting. This document describes how to use the log files and provides the following information: Name and location of log files. Typical issues requiring troubleshooting, and the log files likely to be helpful. Setting the size of log files and the depth and scope of logging. When changes to logging settings take effect. Types of log files: McAfee Agent log files and ePolicy Orchestrator log files. Five of the files are associated with the McAfee Agent:
AGENT_<SYSTEM>.LOG FRMINST_<SYSTEM>.LOG MCSCRIPT.LOG PRDMGR_<SYSTEM>.LOG UPDATERUI_<SYSTEM>.LOG

All other log files are associated with ePolicy Orchestrator and its installer. Contents Log file names and locations Typical issues addressed by logs Logging levels for debugging When setting changes take effect Adjusting the Tomcat log level Logging agent updating and deployment scripts Troubleshooting policy updates Interpreting Windows error codes Agent activity log Use of the VirusScan update log

Using Log Files for Troubleshooting in ePolicy Orchestrator 4.0

Troubleshooting with Log Files Log file names and locations

Log file names and locations

Table 1 lists the name and location of each ePolicy Orchestrator 4.0 log file. Table 2 explains frequently repeated path variables. Table 1: Log files and their locations
Log file name AGENT_<SYSTEM>.LOG, AGENT_<SYSTEM>_BACKUP.LOG <AGENTGUID>-<TIMESTAMP>.XML (if registry value has been set) CORE-INSTALL.LOG Location <AGENT DATA PATH>\DB

<INSTALLATION PATH>\DB\DEBUG (see Troubleshooting with Log Files) <CURRENT USERS TEMP DIRECTORY>\NAILOGS\EPO400-TROUBLESHOOT\ORION FRAMEWORK <CURRENT USERS TEMP DIRECTORY>\NAILOGS\EPO400-TROUBLESHOOT\ORION FRAMEWORK <CURRENT USERS TEMP DIRECTORY>\NAILOGS\ORION FRAMEWORK <CURRENT USERS TEMP DIRECTORY>\NAILOGS\EPO400-TROUBLESHOOT\ORION FRAMEWORK <INSTALLATION PATH>\DB\LOGS <CURRENT USERS TEMP DIRECTORY>\NAILOGS <CURRENT USERS TEMP DIRECTORY>\NAILOGS\MERCURY FRAMEWORK <CURRENT USERS TEMP DIRECTORY>\NAILOGS <INSTALLATION PATH>\MCAFEE\APACHE2\LOGS <INSTALLATION PATH>\DB\LOGS C:\WINDOWS\NAILOGS or C:\WINDOWS\TEMP\NAILOGS or C:\DOCUMENTS AND SETTINGS\<CURRENT USER\LOCAL SETTINGS\TEMP\NAILOGS PROGRAMFILES\MCAFEE\EPOLICY ORCHESTRATOR\SERVER\LOGS <CURRENT USERS TEMP DIRECTORY>\NAILOGS PROGRAMFILES\MCAFEE\EPOLICY ORCHESTRATOR\SERVER\LOGS <AGENT DATA PATH> <CURRENT USERS TEMP DIRECTORY>\NAILOGS PROGRAMFILES\MCAFEE\EPOLICYORCHESTRATOR\SERVER\LOGS

ENV-CORE-INSTALL.LOG

ENV-INSTALL.LOG

ENV-TOMCAT-INSTALL.LOG

EPOAPSVR.LOG EPO400COMMONSETUP.LOG EPO-INSTALL.LOG

EPO400-INSTALL-MSI.LOG ERRORLOG.<CURRENT_DATETIME> EVENTPARSER.LOG, EVENTPARSER_BACKUP.LOG FRMINST_<SYSTEM>.LOG

JAKARTA_SERVICE_<DATE>.LOG

LICENSING.LOG LOCALHOST_ACCESS_LOG.<DATE>.TXT

MCSCRIPT.LOG MIGRATION.LOG ORION.LOG

Using Log Files for Troubleshooting in ePolicy Orchestrator 4.0

Troubleshooting with Log Files Log file names and locations

Log file name PRDMGR_<SYSTEM>.LOG, PRDMGR_<SYSTEM>_BACKUP.LOG REPLICATION.LOG SERVER.LOG, SERVER_BACKUP.LOG SQL2K5bCINST.LOG STDERR.LOG

Location <AGENT DATA PATH>\DB

<INSTALLATION PATH>\DB\LOGS <INSTALLATION PATH>\DB\LOGS <CURRENT USERS TEMP DIRECTORY>\NAILOGS PROGRAMFILES\MCAFEE\EPOLICY ORCHESTRATOR\SERVER\LOGS <CURRENT USERS TEMP DIRECTORY>\NAILOGS

UPDATERUI_<SYSTEM>.LOG

NOTE: Paths that include the folder EPO400-TROUBLESHOOT point to the log file generated for a failed operation. If the operation succeeds, the path does not include the EPO400-TROUBLESHOOT folder. Table 2: Path variables
Variable <AGENT DATA PATH> Description The default location of the agent data files is <DOCUMENTS AND SETTINGS>\ALL USERS\APPLICATION DATA\MCAFEE\COMMON FRAMEWORK <DOCUMENTS AND SETTINGS> is the location of the DOCUMENTS AND SETTINGS folder, which depends on the operating system. If the operating system does not use a DOCUMENTS AND SETTINGS folder, the default location is <AGENT INSTALLATION PATH>\DATA. To determine the actual location of the agent data files, view this registry key HKEY-LOCAL_MACHINE\SOFTWARE\MCAFEE\TVD\SHARED COMPONENTS\FRAMEWORK\DATA PATH. For more information, see Agent installation directory in the ePolicy Orchestrator 4.0 Product Guide or Help. <CURRENT USERS TEMP DIRECTORY> This is the currently logged on users Temp folder. To access this folder, select Start | Run, then type %temp% in the Open text box, and click OK. The default location of the ePolicy Orchestrator 4.0 server software is C:\PROGRAMFILES\MCAFEE\EPOLICY ORCHESTRATOR

<INSTALLATION PATH>

Log file size and BACKUP logs When a log file reaches it maximum size, BACKUP is added to the file name extension and a new log file is created. For example, when AGENT_<SYSTEM>.LOG reaches it maximum size, its name becomes AGENT_<SYSTEM>_BACKUP.LOG. If a BACKUP log already exists, it is overwritten. Depending on how recently the BACKUP was created, it may contain current entries. Examine both log files to ensure comprehensiveness. The default log size is 1MB. To change the size, create the DWORD value LOGSIZE in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR, then set the value data to the size desired. For example, 2=2MB.

Using Log Files for Troubleshooting in ePolicy Orchestrator 4.0

Troubleshooting with Log Files Typical issues addressed by logs

Typical issues addressed by logs

Table 3 identifies the types of issues recorded in each ePolicy Orchestrator 4.0 log file. Table 3: Typical issues and the log files to consult
For issues with... Agent: in general; client communication tasks See these log files AGENT_<SYSTEM>.LOG, AGENT_<SYSTEM>_BACKUP.LOG FRMINST_<SYSTEM>.LOG EPOAPSVR.LOG UPDATERUI_<SYSTEM>.LOG EPOAPSVR.LOG SERVER.LOG SQL2K5bCINST.LOG

Agent: installation; uninstallation Agent: push Agent: updating client, managed products Agent: wake-up Agent-server communication Backward Compatibility for SQL (if installed during ePolicy Orchestrator installation) Client tasks: communication

AGENT_<SYSTEM>.LOG AGENT_<SYSTEM>_BACKUP.LOG PRDMGR_<SYSTEM>.LOG PRDMGR_<SYSTEM>_BACKUP.LOG PRDMGR_<SYSTEM>.LOG PRDMGR_<SYSTEM>_BACKUP.LOG, MCSCRIPT.LOG AGENT_<SYSTEM>.LOG, SERVER.LOG, SERVER_BACKUP.LOG REPLICATION.LOG, EPOAPSVR.LOG, ORION.LOG ERRORLOG.<CURRENT_DATETIME> STDERR.LOG, JAKARTA_SERVICE_<DATE>.LOG, LOCALHOST_ACCESS_LOG.<DATE>.TXT EVENTPARSER.LOG, EVENTPARSER_BACKUP.LOG CORE-INSTALL.LOG, ENV-CORE-INSTALL.LOG, EPO-INSTALL.LOG, ENV-TOMCAT-INSTALL.LOG EPO400COMMONSETUP.LOG EPO400-INSTALL-MSI.LOG ORION.LOG LICENSING.LOG MIGRATION.LOG, EPO400-INSTALL-MSI.LOG ORION.LOG PRDMGR_<SYSTEM>.LOG, PRDMGR_<SYSTEM>_BACKUP.LOG

Client tasks: scripts

Communication: client-server

Distributed repositories Error: Apache web server Error: Tomcat servlet container

Events, event update Installation: ePolicy Orchestrator calls to background, foundation, or other platforms and technologies Installation: ePolicy Orchestrator custom actions Installation: ePolicy Orchestrator Interface: Issues arising after changes to... License Migration: from earlier version Notifications Plug-in files

Using Log Files for Troubleshooting in ePolicy Orchestrator 4.0

Troubleshooting with Log Files Logging levels for debugging

For issues with... Policies

See these log files AGENT_<SYSTEM>.LOG, AGENT_<SYSTEM>_BACKUP.LOG, SERVER.LOG <AGENTGUID>-<TIMESTAMP>.XML (if registry value has been set) SERVER.LOG EPOAPSVR.LOG, ORION.LOG, REPLICATION.LOG EPOAPSVR.LOG EPOAPSVR.LOG, ORION.LOG, REPLICATION.LOG AGENT_<SYSTEM>.LOG MCSCRIPT.LOG SERVER.LOG, SERVER_BACKUP.LOG, ORION.LOG EPO400COMMONSETUP.LOG, EPO400-INSTALL-MSI.LOG AGENT_<SYSTEM>.LOG, AGENT_<SYSTEM>_BACKUP.LOG UPDATERUI_<SYSTEM>.LOG <AGENTGUID>-<TIMESTAMP>.XML (if registry value has been set) MIGRATION.LOG, EPO400-INSTALL-MSI.LOG ORION.LOG

Policy update

Product property update Pull Push agent Replicate Script: client task Scripts: engine; messages Server: in general Server: installation Updating

Upgrading: from earlier version User interface: HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR, issues arising after changes to...

Logging levels for debugging

This section provides information about setting logging levels for logs in general. For information about adjusting the logging of the Tomcat servlet container, see Adjusting the Tomcat log level. The scope and depth of the information in most log files are determined by the log level, a value ranging from 1 to 8. Messages logged at each level include all messages at the current level and all lower logging levels. The default value is 7, generally considered adequate for ordinary debugging. Log level 8 produces output, including every SQL query, whether or not there is an error. Log level 8 also provides communication details for troubleshooting network and proxy server issues.

Using Log Files for Troubleshooting in ePolicy Orchestrator 4.0

Troubleshooting with Log Files Logging levels for debugging

Table 4 describes each message type and logging level. Table 5 lists the locations where the values that control logging levels can be modified. Table 4: Messages reported at each log level
Message type Description Logging level 1 2 3 4 5 6 7 8

e (error) w (warning) i (information) x (extended data) E (error) W (warning) I (information), or none X (extended data)

User error message, translated User warning message, translated User information message, translated User extended information message, translated Debug error message, English only Debug warning message, English only Debug information message, English only Debug extended information message, English only

Table 5: Location of values controlling log levels

Log file AGENT_<SYSTEM>.LOG Location of controlling log level value DWORD registry value at: HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL DWORD registry value at: HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL DWORD registry value at: HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL DWORD registry value at: HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL C:\PROGRAMFILES\MCAFEE\EPOLICY ORCHESTRATOR\SERVER\CONF\ORION \LOG-CONFIG.XML. See MaxFileSize parameter value in Rolling log file section. See also Priority Value in <root> section. DWORD registry value at: HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL DWORD registry value at: HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL DWORD registry value at: HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL

EPOAPPSVR.LOG

EVENTPARSER.LOG

FRMINST_<SYSTEM>.LOG

ORION.LOG

PRDMGR_<SYSTEM>.LOG

SERVER.LOG

UPDATERUI_<SYSTEM>.LOG

Using Log Files for Troubleshooting in ePolicy Orchestrator 4.0

Troubleshooting with Log Files When setting changes take effect

When setting changes take effect

This section defines the interval between the moment that a log file setting is changed and the moment the change takes effect. When a setting is changed using the registry, the interval is usually a minute or less. The DWORD registry value that controls logging is: HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL. When a setting is changed in an INI file or an XML file, the change usually takes effect immediately. In some instances, when a change takes effect upon restarting the system, the user controls the interval. Table 6: When log setting changes take effect
Log file name AGENT_<SYSTEM>.LOG CORE-INSTALL.LOG EPOAPSVR.LOG EPO400COMMONSETUP.LOG Setting change takes effect... Within one minute Cannot change Within one minute Immediately upon saving change to EPO400-DEBUG.INI, located at <CURRENT USERS TEMP DIRECTORY>\NAILOGS Cannot change Immediately upon saving change to EPO400-DEBUG.INI, located at <CURRENT USERS TEMP DIRECTORY>\NAILOGS Upon startup Within one minute Upon startup Upon startup of Tomcat service Cannot change Upon startup of Tomcat service Upon startup Upon startup of Tomcat service Within one minute Within one minute Upon startup Cannot change Cannot change

EPO-INSTALL.LOG EPO400-INSTALL-MSI.LOG

ERRORLOG<CURRENT_DATETIME> EVENTPARSER.LOG FRMINST_<SYSTEM>.LOG JAKARTA_SERVICE_<DATE>.LOG LICENSING.LOG LOCALHOST_ACCESS_LOG.<DATE>.TXT MCSCRIPT.LOG ORION.LOG PRDMGR_<SYSTEM>.LOG REPLICATION.LOG SERVER.LOG, SERVER_BACKUP.LOG SQL2K5bCINST.LOG STDERR.LOG

10

Using Log Files for Troubleshooting in ePolicy Orchestrator 4.0

Troubleshooting with Log Files Adjusting the Tomcat log level

Log file name UPDATERUI_<SYSTEM>.LOG

Setting change takes effect... Within one minute

Adjusting the Tomcat log level

The file name of the Tomcat log is ORION.LOG. To adjust its logging level, do the following. Task 1 2 3 Open the LOG-CONFIG.XML file, located at:
C:\PROGRAMFILES>\McAfee\ePolicyOrchestrator\Server\conf\orion

In the following line of text, replace warn with info or debug: <root><priority value ="warn"/><appender-ref ref="ROLLING" /><appender-ref ref="STDOUT/></root> Save and close the file. Tomcat automatically adjusts the log level when the service is restarted.

Logging agent updating and deployment scripts

The agent uses MCSCRIPT.LOG to report script commands used during updating and deployment. To enable, set the following DWORD value on the clients registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\TVD\SHARED COMPONENTS\FRAMEWORK\DWDEBUGSCRIPT=2

McAfee recommends that you delete this key when you are done troubleshooting.

Troubleshooting policy updates

To troubleshoot incremental policy update issues from the server-side, do the following: Task 1 Create the DWORD registry value SAVEAGENTPOLICY = 1 in HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR. Restart all ePolicy Orchestrator services. Detailed descriptions of failures, including source files and line numbers, appear in the application log for the component experiencing issues. The ePolicy Orchestrator server creates the file <AGENTGUID>-<TIMESTAMP>.XML at <INSTALLATION PATH>\DB\DEBUG, which contains a copy of the content that the server deployed.In the following line of text, replace warn with info or debug. 3 Save and close the file.

Using Log Files for Troubleshooting in ePolicy Orchestrator 4.0

11

Troubleshooting with Log Files Interpreting Windows error codes

Interpreting Windows error codes

To understand Windows error messages, identify the error code and look it up in the MSDN library. 1 2 3 4 Locate messages of type e or E in the log file. Identify the time that the problem occurred, if known. Note the Windows error code associated with the problem event. Find the error code in the MSDN library at: http://msdn2.microsoft.com/en-us/library/ms681381.aspx For example, when tracking down an error message that includes code 1326, navigate to and click the code in the list of system error codes. The explanation of the code is displayed:
1326 ERROR_LOGON_FAILURE Logon failure: unknown user name or bad password

NOTE: You can also use the ERRLOOK.EXE utility to determine the cause of these error codes. This utility is distributed with Microsoft Visual Studio

Agent activity log

The agent activity log (AGENT_<SYSTEM>.XML) contains copies of messages from the AGENT_<SYSTEM>.LOG, including translated messages, of types e, w, and i, (corresponding to logging levels 1 3). This file is not intended for debugging, but as information for users not likely to be troubleshooting. Messages of type x (logging level 4) can be included in the activity log. For information on setting levels, see Logging levels for debugging. Information in the activity log also appears in the Agent Monitor. If you enable remote access to the agent activity log file, you can also view the agent debug log files remotely by clicking View debug log (current or previous) in the agent activity log file. For instructions, see Agent Activity Logs and Viewing the agent activity log in the ePolicy Orchestrator 4.0 Product Guide.

Use of the VirusScan update log

The UPDATETXT.LOG file in VirusScan Enterprise 8.0i and 8.5i provides information derived from the AGENT_<SYSTEM>.LOG. It does not provide any additional information than the agent log provides. However, VirusScan reformats the information for compatibility with previous versions. In addition, users can control the content that is displayed in the UPDATETXT.LOG and can designate its location.

12

Using Log Files for Troubleshooting in ePolicy Orchestrator 4.0