Enable debugging with WPP logs via registry for Endpoint Protection clients
search cancel

Enable debugging with WPP logs via registry for Endpoint Protection clients

book

Article ID: 155159

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Learn how to enable debugging that includes WPP logs for Symantec Endpoint Protection (SEP) clients.

Overview

SEP client debugging enables the following logging:

  • SMC
  • Sylink
  • VPDebug
  • WPP

Resolution

Note: Before you enable SEP client debugging, disable Tamper Protection to allow changes to the Windows Registry.
Note: All registry keys are case-sensitive

Enable SEP client debugging

  1. Click Start > Run and type regedit.
  2. Back up the registry. {WINDOWS_REGISTRY.EN_US}
  3. In the left pane, navigate to the following registry subkey:
    • 32-bit: HKLM\Software\Symantec\Symantec Endpoint Protection\DebugLogging
    • 64-bit: HKLM\Software\Wow6432Node\Symantec\Symantec Endpoint Protection\DebugLogging 
    • 64-bit: HKLM\Software\Symantec\Symantec Endpoint Protection\DebugLogging (14.3 RU5 and above) 

      Note: If the DebugLogging subkey is not present, create one.
       
  4. In the right pane, set the following DWORD values based on your requirements:
    • (DWORD) Enabled = 1
      • 1 = Logging is enabled.
      • 0 = Logging is disabled.
    • (DWORD) DurationMS = 604800000
      • The duration in milliseconds that logging is enabled after SepMasterService starts.
      • logging begins immediately after the SepMasterService starts, and ends either when the duration specified is reached, or when the MaxFilesizeMB limit is met.
    • (DWORD) MaxFilesizeMB = 800
      • The max file size limit in megabytes for each individual log file that is created (currently not supported by VPDebug, so this is only supported by WPP). Increase this setting if you increase the DurationMS value.
      • When the size limit specified is reached, logging automatically stops.
    • (DWORD) MaxFiles = 1
      • The maximum number of old log files to keep before starting a new log.
      • Files are deleted based on the timestamp in their name, so changing the system time can affect the order in which files get phased out.

Notes:

  • Create these DWORD values if they do not already exist.
  • Based on a current known issue, only 1 WPP .etl file will be generated for the MaxFiles value. To work around this, increase the MaxFilesizeMB value to a higher value such as 800 MB or more. if necessary.
  • The DurationMS value 604800000 allows logging to occur for 1 week. If additional time is necessary to reproduce an issue, set the DurationMS value to 1209600000, which allows logging to occur for 2 weeks. This is the maximum value for DurationMS logging.

Restart the Symantec Management Client (SMC)

Changes to these settings require a restart of the SEP client services.

  1. Click Start > Run, and type smc -stop
  2. After the Symantec Endpoint Protection icon disappears from the notification area, type smc -start

Log file location

When enabled, the SMC and Sylink logs are mirrored to WPP logs, rather than being written to their plain text files. Output occurs in the following files.

  • SEPAutoTraceSession_YYMMDD_HHMMSS.etl
  • VPDebug_YYMMDD_HHMMSS.etl

These files are located in:

  • Windows 32-bit: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\<version>\Data\Logs\
  • Windows 64-bit: C:\ProgramData\Symantec\Symantec Endpoint Protection\<version>\Data\Logs\