Sei sulla pagina 1di 10

Reference Guide

McAfee ePolicy Orchestrator 5.1.0 Software


Log Files

ePolicy Orchestrator log files


The log files detailed in this guide represent a subset of all McAfee ePolicy Orchestrator log files, with
particular attention to the log files used when managing and troubleshooting product issues.

Log files and their categories


McAfee ePolicy Orchestrator provides log files that contain important information when
troubleshooting.
These log files are separated into three categories:

Installer logs Include details about installation path, user credentials, database used, and
communication ports configured.

Server logs Include details about server functionality, client event history, and administrator
services.

Agent logs Include details about agent installation, wakeup calls, updating, and policy
enforcement.

Path variables used


The locations of log files depend on how and where ePolicy Orchestrator and the agent are installed in
your environment.
These variables are used in this document to describe locations of the log files.

Variable Description
[Agent DATA To determine the actual location of the agent data files, view this registry key
Path] HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\TVD\SHARED COMPONENTS
\FRAMEWORK\DATA PATH. For more information, see Agent installation directory in
the ePolicy Orchestrator Product Guide or Help.
%temp% This is the Temp folder of the currently logged on user. To access this folder, select
Start | Run, then type %temp% in the Open text box, and click OK.
[InstallDir] The default location of the ePolicy Orchestrator server software is C:\PROGRAM
FILES\MCAFEE\EPOLICY ORCHESTRATOR.

1
Installer logs
Installer log files list details about the ePolicy Orchestrator installation process.
These logs provide information about:

Actions taken by specific components

Administrator services used by the server

Success and failure of critical processes

File name Log type Location Description


AH500InstallMSI.log Agent %temp%\McAfeeLogs This file logs all Agent Handler
Handler installation details including:
installation
Installer actions
Installation failures

AH500ahetupdll.log Temporary %temp% (on the Logs Agent Handler backend


Agent Handler events.
server)
coreinstall.log Temporary %temp%\McAfeeLogs Generated when ePolicy
\ePO500 Orchestrator installer calls the MFS
Troubleshoot\MFS ANT installer. Provides information
on:
Creation of server database tables
Installation of server components

This file is deleted if the


installation succeeds.

epoinstall.log Installation %temp%\McAfeeLogs Created when the ePolicy


\ePO500 Orchestrator installer calls the ANT
Troubleshoot installer.
\Mercury
Framework
EPO500CheckinFailure Installation %temp%\McAfeeLogs Generated when ePolicy
.log Orchestrator installer fails to check
in any of these package types:
Extensions
Plug-ins
Deployment packages
Agent packages

EPO500CommonSetup.log Installation %temp%\McAfeeLogs Contains ePolicy Orchestrator


installer details such as:
Custom Action logging
SQL, DTS (Microsoft Data
Transformation Services), and
service-related calls
Registering and unregistering
DLLs
Files and folders selected for
deletion at restart

2
File name Log type Location Description
EPO500InstallMSI.log Installation %temp%\McAfeeLogs The primary ePolicy Orchestrator
installation log. Contains installation
details such as installer actions and
installation failures.
<ExtensionFileName> Temporary %temp%\McAfeeLogs Created by the ePolicy Orchestrator
.cmd \ePO500 installer. Contains the command
troubleshoot (sent to RemoteClient) to check in
\OutputFiles extensions.

If the installation succeeds,


these files are deleted.

MFS500CommonSetup.log Installation %temp%\McAfeeLogs Contains MFS installer details.

Server logs
Server log files contain details on server functionality and various administrator services used by
ePolicy Orchestrator.

File name Log type Location Description


EpoApSvr.log Primary [InstallDir]\DB Application Server log file with details of
\Logs repository actions such as:
Pull tasks
Checking in deployment packages to the
repository
Deleting deployment packages from the
repository

This file is not present until after initial service


startup.

Errorlog Apache [InstallDir] Contains Apache service details.


.<CURRENT \Apache2\logs
_DATETIME> This file is not present until after the Apache
service is started for the first time.

Eventparser Primary [InstallDir]\DB Contains ePolicy Orchestrator event parser


.log \Logs services details, such as product event parsing
success or failure.
Jakarta Tomcat [InstallDir] Contains ePolicy Orchestrator Application Server
_service \Server\logs * service details.
_<DATE>.log
This file is not present until after the initial
Tomcat service startup.

Localhost Tomcat [InstallDir] Records all McAfee ePO server requests received
_access_log \Server\logs * from client systems.
.<DATE>.txt
This file is not present until after the initial
Tomcat service startup.

3
File name Log type Location Description
Orion.log Primary [InstallDir] Contains McAfee Foundation Services platform
\Server\logs * details and all extensions loaded by default.

This file is not present until after the ePolicy


Orchestrator Application Server service is
started for the first time.

Replication Server [InstallDir]\DB The McAfee ePO server replication log file. This
.log \Logs file is only generated when all these are true:
There are distributed repositories.
A replication task has been configured.
A replication task has run.

Server.log Primary [InstallDir]\DB Contains details related to these McAfee ePO


\Logs server services:
Agent-server communications
McAfee ePO Server Agent Handler

This file is not present until after initial service


startup.

Stderr.log Tomcat [InstallDir] Contains any Standard Error output captured by


\Server\logs * the Tomcat service.

This file is not present until after the initial


Tomcat service startup.

* In cluster environments, the log file is located at [InstallDir]\Bin\Server\logs.

4
Agent logs
Agent log files contain actions triggered or taken by the McAfee Agent.

File name Log Location Description


type
<AgentGuid> Policy [InstallDir]\DB Contains details about policy updating issues. To
_<Timestamp> \DEBUG enable this file:
_Server.xml
1 Browse to this registry key: HKEY_LOCAL_MACHINE
\Software\Network Associates\ePolicy
Orchestrator\

2 Create this DWORD with value 1:


SaveAgentPolicy

3 Restart the McAfee ePolicy Orchestrator 5.1.0


Server (Apache) service.

We recommend that you enable this file for the


minimum time needed to capture the required
information, because the resulting files grow
rapidly.

Agent_<system> Agent [Agent DATA Generated on client systems when the server
.log Path]\DB deploys an agent to them. This file contains details
related to:
Agent-server communication
Policy enforcement
Other agent tasks

FrmInst Agent %temp% Generated when the FrmInst.exe is used to install


_<system>.log \McAfeeLogs the McAfee Agent. This file contains:
Informational messages.
Progress messages.
Failure messages if installation fails.

MCScript.log Agent [Agent DATA Contains the results of script commands used
Debug Path]\DB during agent deployment and updating. To enable
the DEBUG mode for this log, set this DWORD
value on the clients registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK
ASSOCIATES\TVD\SHARED COMPONENTS\FRAMEWORK
\DWDEBUGSCRIPT=2

Delete this key when you've finished


troubleshooting.

MfeAgent.MSI Agent %temp% Contains details about the MSI installation of the
.<DATE>.log \McAfeeLogs agent.
PrdMgr_<SYSTEM> Agent [Agent DATA Contains details about agent communications with
.log Path]\DB other McAfee products.
UpdaterUI Agent %temp% Contains details of the updates to managed
_<system>.log \McAfeeLogs products on the client system.

5
McAfee Agent error logs
When the McAfee Agent traps errors, they are reported in Agent error logs. Agent error logs are
named for their primary log counterpart. For example, when errors occur while performing client
tasks, the MCScript_Error.log file is created. Error logs contain only details about errors.

How log file size is maintained


When a log file reaches it maximum size, backup is added before the file name extension and a new
log file is created.
For example, when Agent_<SYSTEM>.log reaches it maximum size, it is renamed Agent_<SYSTEM>
_backup.log. If a backup log already exists, it is overwritten. Depending on how recently the backup
was created, it might contain current entries. Examine both log files to make sure that you view all
current entries.

To change the log size, create the DWORD value LOGSIZE in the registry key HKEY_LOCAL_MACHINE
\Software\Network Associates\ePolicy Orchestrator, then set the value data to the size wanted.
For example, 20=20MB.

Enable access logging


Enable Apache access logging by modifying the httpd.conf file.

Task
1 From [ePOInstallDir]\Apache2\conf, open the httpd.conf file.

2 Run this command to edit the file.

CustomLog "|C:/PROGRA~1/McAfee/EPOLIC~1/Apache2/bin/rotatelogs.exe
-l C:/PROGRA~1/McAfee/EPOLIC~1/Apache2/logs/accesslog.%Y-%m-%d 86400" common

(Remove the number symbol (#) from this line)

This file path applies to the default ePolicy Orchestrator installation. For custom installations, use the
path specified in the httpd.conf file.

3 Save the file and restart your ePolicy Orchestrator services.

Log levels for debugging


The log level, a value ranging from 1 to 8, determines the scope and depth of the information in most
log files.

Log levels provide this information:

Messages logged at each level include all messages at the current level and all lower logging levels.

The default value (7) is considered adequate for ordinary debugging.

Log level 8 produces output, including every SQL query, whether or not there is an error. Log level
8 also provides communication details for troubleshooting network and proxy server issues.

6
Messages reported at each log level

Message type Description Logging level


e (error) User error message, translated 1
w (warning) User warning message, translated 2
I (information) User information message, translated 3
x (extended data) User extended information message, translated 4
E (error) Debug error message, English only 5
W (warning) Debug warning message, English only 6
I (information), or none Debug information message, English only 7
X (extended data) Debug extended information message, English only 8

Location of values controlling log levels and when they take effect

You can't modify the logging levels of all logs.

Log file name Log level value location Update duration


Agent_<system>.log DWORD registry value at: HKEY_LOCAL_MACHINE 1 minute (approximate)
\SOFTWARE\NETWORK ASSOCIATES\EPOLICY
ORCHESTRATOR\LOGLEVEL
Coreinstall.log Not applicable Not applicable
EpoApSvr.log DWORD registry value at: HKEY_LOCAL_MACHINE 1 minute (approximate)
\SOFTWARE\NETWORK ASSOCIATES\EPOLICY
ORCHESTRATOR\LOGLEVEL
Errorlog.<CURRENT Not applicable (File created by the Apache Not applicable
_DATETIME>.log service)
Eventparser.log DWORD registry value at: HKEY_LOCAL_MACHINE 1 minute (approximate)
\SOFTWARE\NETWORK ASSOCIATES\EPOLICY
ORCHESTRATOR\LOGLEVEL
FrmInst_<system> DWORD registry value at: HKEY_LOCAL_MACHINE At runtime
.log \SOFTWARE\NETWORK ASSOCIATES\EPOLICY
ORCHESTRATOR\LOGLEVEL
Jakarta_Service [INSTALL DIR]\SERVER\CONF\ORION \LOG Upon startup of ePolicy
_<DATE>.log CONFIG.XML Orchestrator Application
Server service.
Localhost_access [INSTALL DIR]\SERVER\CONF\ORION \LOG Upon startup of ePolicy
_log.<DATE>.txt CONFIG.XML Orchestrator Server
service.
MCSCRIPT.log Windows platforms: dwDebugScript in HKEY Immediately
_LOCAL_MACHINE\Software\Network
Associates\TVD\Shared Components
\Framework
UNIX platforms: DebugScript in /etc/cma.d/
<ePO Agent's software ID>/config.xml

Orion.log [INSTALL DIR]\SERVER\CONF\ORION \LOG Upon startup of ePolicy


CONFIG.XML. See MaxFileSize parameter value in Orchestrator Application
the Rolling log file section. Also, see Priority Value in Server service.
the Root section.
PrdMgr_<SYSTEM>.log DWORD registry value at: HKEY_LOCAL_MACHINE 1 minute (approximate)
\SOFTWARE\NETWORK ASSOCIATES\EPOLICY
ORCHESTRATOR\LOGLEVEL

7
Log file name Log level value location Update duration
Replication.log Not applicable Not applicable
Server.log DWORD registry value at: HKEY_LOCAL_MACHINE Upon startup of ePolicy
\SOFTWARE\NETWORK ASSOCIATES\EPOLICY Orchestrator Server
ORCHESTRATOR\LOGLEVEL service.
Stderr.log Not applicable Not applicable
UpdaterUI_<SYSTEM> DWORD registry value at: HKEY_LOCAL_MACHINE 1 minute (approximate)
.log \SOFTWARE\NETWORK ASSOCIATES\EPOLICY
ORCHESTRATOR\LOGLEVEL

Agent activity log


The agent activity log (AGENT_<SYSTEM>.XML) contains copies of messages from the AGENT_<SYSTEM>
.LOG, including translated messages, of types e, w, and i, (corresponding to logging levels 1 3).
This file is not intended for debugging, but as information for users not likely to be troubleshooting.
Messages of type x (logging level 4) can be included in the activity log. For information on setting
levels, see Logging levels for debugging.

Information in the activity log also appears in the Agent Monitor.

If you enable remote access to the agent activity log file, you can also view the agent debug log files
remotely by clicking View debug log (current or previous) in the header of the Show Agent Log display. For
instructions, see Agent Activity Logs and Viewing the agent activity log in the McAfee ePolicy
Orchestrator Product Guide or Help.

Adjust the Orion log level


The orion.log file is created by the ePolicy Orchestrator Application Server.
You can configure the log level to show different types of Orion information in the log.

Task
1 Using a text editor, open the LogConfig.xml file, located at:
C:\PROGRAMFILES\McAfee\ePolicyOrchestrator\Server\conf\orion

2 In the following line of text, replace warn with info or debug:

<root><priority value ="warn"/><appender-ref


ref="ROLLING" /><appender-ref ref="STDOUT/></root>

Use debug only when troubleshooting for a short time. Setting the priority value to debug causes
the old log files to be deleted frequently.

3 Save and close the file.

Tomcat automatically adjusts the log level when the ePolicy Orchestrator Application Server services
restart.

8
Troubleshoot product issues
Use logs to troubleshoot product issues.

Tasks
Troubleshoot policy updates on page 9
Troubleshoot incremental policy update issues from the server-side.
Interpret Windows error codes on page 9
To understand Windows error messages, identify the error code and look it up in the MSDN
library.

Troubleshoot policy updates


Troubleshoot incremental policy update issues from the server-side.

Task
1 Create the DWORD registry value SAVEAGENTPOLICY = 1 in:
HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR

2 Restart all ePolicy Orchestrator services.


The ePolicy Orchestrator server creates the file <AGENTGUID>_<TIMESTAMP>_SERVER.XML at
<INSTALLATION PATH>\DB\DEBUG, which contains a copy of the content that the server deployed.

Interpret Windows error codes


To understand Windows error messages, identify the error code and look it up in the MSDN library.

Task
1 Locate messages of type e or E in the log file.

2 Identify the time that the problem occurred, if known.

3 Note the Windows error code associated with the problem event.

4 Find the error code in the MSDN library at:


http://msdn2.microsoft.com/en-us/library/ms681381.aspx
For example, when tracking down an error message that includes code 1326, navigate to and click
the code in the list of system error codes. The explanation of the code is displayed:

1326 ERROR_LOGON_FAILURE Logon failure: unknown user


name or bad password

You can also use the ERRLOOK.EXE utility to determine the cause of these error codes. This utility is
distributed with Microsoft Visual Studio.

9
Copyright 2013 McAfee, Inc. Do not copy without permission.
McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and
other countries. Other names and brands may be claimed as the property of others.

10 0-00