How to enable Automatic Symantec Endpoint Protection (SEP) 12.1 Client Debugging, including WPP logs.
Before enabling Automatic Client Debugging, disable Tamper Protection to allow changing the registry.
To enable Automatic Client Debugging go to:
- 32-bit: HKLM\Software\Symantec\Symantec Endpoint Protection\DebugLogging
- 64-bit: HKLM\Software\Wow6432Node\Symantec\Symantec Endpoint Protection\DebugLogging
*Note: If the DebugLogging key is not present, it will need to be created.
The settings available are:
- (DWORD) Enabled
- 1 = Logging is enabled.
- 0 = Logging is disabled.
- (DWORD) DurationMS
- The duration in milliseconds that logging will be enabled for after SepMasterService starts.
- The logging begins immediately after the SepMasterService starts and ends when the duration specified is reached or when the MaxFilesizeMB limit is met.
- (DWORD) MaxFilesizeMB
- The max file size limit in megabytes for each individual log file that is created (currently not supported by VPDebug, so this is only supported by WPP). This setting will need to be increased if the DurationMS value is increased.
- When the size limit specified is reached, logging will automatically stop.
- (DWORD) MaxFiles
- The maximum number of old log files to keep before starting a new log.
- Files are deleted based on the timestamp in their name, so changing the system time can affect the order in which files get phased out.
If any of the above registry values do not exist, they have a default hard-coded value which is:
This logging is off by default. If any of the non-default settings are required, the corresponding registry value will have to be explicitly created.
Recommended registry (Decimal) values for debugging:
Based on a current known issue, only 1 WPP .etl file will be generated even though the default specifies MaxFiles(10). Workaround is to increase MaxFilesizeMB to something like 800 MB.
The DurationMS value 604800000 will allow the logging to occur for 1 week. If additional time is necessary to reproduce an issue, the DurationMS value can be set to 1209600000 that will allow logging to occur for 2 weeks, this is the maximum value for the DurationMS logging.
Changing these settings requires a restart of the SEP client services.
Restart the Symantec Management Client (SMC)
Click Start, and in the Search programs and files field, enter the following command:
Alternately, click Start > Run, enter the command, and then click OK.
After the Symantec Endpoint Protection icon disappears from the notification area, repeat Step 1, but instead use the following command:
Automatic Client Debugging enables the following logging automatically:
When enabled, the SMC and Sylink logs are mirrored to WPP logs rather than written to their plain text files. The output will be two files named:
These files will be located in:
- XP 32-bit: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\<version>\Data\Logs\
- Windows 7 64-bit: C:\ProgramData\Symantec\Symantec Endpoint Protection\<version>\Data\Logs\