Enabling Debug Logging in Symantec Endpoint Encryption 11.x
search cancel

Enabling Debug Logging in Symantec Endpoint Encryption 11.x

book

Article ID: 161042

calendar_today

Updated On:

Products

Endpoint Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK Desktop Email Encryption Drive Encryption Encryption Management Server File Share Encryption Gateway Email Encryption

Issue/Introduction

Introduction

This article provides details about enabling Debug parameters within the Symantec Endpoint Encryption software, both for the Server and client side.

Windows Event Logs are used in various scenarios for Drive Encryption, SEE for Bitlocker, as well as SEE Removable Media Encryption and can be useful when reviewing different scenarios.  Event logs are logged with the proper severity and reside on the local client computer and can be viewed through the Windows Event Viewer.

For example, you can view the Removable Media Encryption event logs to determine whether a file was encrypted so that the user's data was not disclosed.



For more information on Drive Encryption event logs, see the following article:
161173 - Symantec Endpoint Encryption Drive Encryption - Windows Event Log IDs


For more information on Symantec Endpoint Encryption for Bitlocker event logs, see following article:
150211 - Symantec Endpoint Encryption for BitLocker - Windows Event Log IDs


If Symantec Endpoint Encryption application is crashing, it is useful to enable User-Mode Dumps. 
See the User-Mode Dumps article for more information to provide to Symantec Enterprise Support.

 

Also useful to gather are SymDiag dumps from affected systems.  See the following article for information on how to gather this information:

155115 - Download SymDiag to detect product issues

Resolution

 

Section 1 of 8: Installing Endpoint Encryption Client with Debug Mode enabled.

Symantec Endpoint Encryption will always log the msiexec installation file in the %tmp% directory. 

If you would like to enable Debug mode during the installation, you can do so, as well as output the installation to a specific directory.

 

As an example, if you would like to output the installation log to "C:\Logs", you want the installation log to be called "SEE_Installation.log", you can run the following command:

msiexec /i "SEE Client_x64.msi" /l*vx "C:\logs\SEE_Installation.log" MALOGLEVEL=DEBUG


This will capture all the msiexec installation events as well as enable Debug mode for the SEE Client.

Look at Section 2 for information on where the debug logs are stored.

 


Section 2 of 8: Debug mode for the SEE Client on the local machine
(Client Communications, Drive Encryption, SEE Bitlocker, and Removable Media Encryption)

If the SEE Client has been installed without the debug parameters, you can change the log level to "Debug" after the fact.  To do so, navigate to the following registry hive:

HKLM\Software\Encryption Anywhere\Framework\LoggerConfig

On the right pane of the registry there will be two values, but the main value to look for is "LogLevel"


To enable debug mode, change the value from "WARNING" to "Debug" as shown in the following screenshots:


Before:

After:

Note: To make these changes, you must be local administrator on the system.


There is also a "LogDir" value, however, we do not recommend changing the default location.  All logs are going to be logged in the following directory:

C:\Program Files\Symantec\Endpoint Encryption Clients\Management Agent\TechLogs:

If support requests the log files, just copy this entire TechLogs directory to a different location, zip it up and upload to the support case.


Note for Log Storage:
It is very useful to leave Debug enabled indefinitely so that if debug logs are needed, they are already available.  If you do leave the SEE client in debug mode, the maximum storage space that could be used is 4GBs.  This is because each log file created is 2MBs, and there are a maximum of 99 log files per logging component.   For example, the first Drive Encryption log files are named eedService00.log, the last would be eedService99.log.  When the 99th log file is reached, the first will be overwritten and go through this process again, so each log file has a maximum of 200MBs.

Once you enable the "Debug" mode with the option above, the easiest way to have it start logging in debug is to reboot the machine.

 


If you would like to avoid rebooting the system to enable debug mode, there are two methods you can use:

Method 1: Restart the SEE Management Agent via the Services application.

After setting the registry parameter to "Debug", go to the Services application and restart the "Symantec Drive Encryption Service" and "Symantec Endpoint Encryption Management Agent". 

Tip:
To open Services easily, go to start, run, and type "services.msc".

You can then check the debug logs and ensure the [DEBUG] values are now being written to the logs.

 

Method 2: Restart the services via the command line

From the command line, navigate to the following directories and then issue the commands that are bolded below (one is for the SEE Native Client and the other for the SEE for Bitlocker client):


SEE Native Encryption Client

C:\Program Files\Symantec\Endpoint Encryption Clients\Drive Encryption>net stop eedService
C:\Program Files\Symantec\Endpoint Encryption Clients\Drive Encryption>net start eedService
C:\Program Files\Symantec\Endpoint Encryption Clients\Management Agent>net stop EAFRCliManager
C:\Program Files\Symantec\Endpoint Encryption Clients\Management Agent>net start EAFRCliManager

To take the client out of debug mode, change the "debug" value to "warning" and then restart the services.

 

SEE Bitlocker Client
C:\Program Files\Symantec\Endpoint Encryption Clients\Bitlocker>net stop SymBitlockerService
C:\Program Files\Symantec\Endpoint Encryption Clients\Bitlocker>net start SymBitlockerService
C:\Program Files\Symantec\Endpoint Encryption Clients\Management Agent>net stop EAFRCliManager
C:\Program Files\Symantec\Endpoint Encryption Clients\Management Agent>net start EAFRCliManager



The Endpoint Encryption for Bitlocker logs are named in the following format:

  • SymBitLockerServiceNN.log
  • BitLockerClientUINN.log

where:

  • NN is an integer value, such as 00 through 99.  Once the logs reach 99, they cycle back to 00 and overwrite the logs accordingly.

 


Section 3 of 8: Debug mode for SEE Management Server Web Console (.Net Application Logging)

If you are running into issues with the Web Console, such as login errors when trying to access the 11.4 Web Dashboard, Web Reporting, or Help Desk web console, it is helpful to enable Debug mode to capture additional information.

To enable logging, navigate to the following path to view the "log4Net.config" file:

"%ProgramFiles(x86)%\Symantec\Symantec Endpoint Encryption Management Server\CommunicationWS\WebConsole\Log4Net.config".


Use a text editor such as Notepad.exe or Notepad++ to edit the Log4Net.config file.  Before making any changes, it is a good idea to make a copy of this file as a backup.


Before:

After:


The logs will be generated in the following location:

"%ProgramFiles(x86)%\Symantec\Symantec Endpoint Encryption Management Server\CommunicationWS\WebConsole\logs\webapp.log".

 

Note For Permissions on Log4Net.conf
In order to be able to change the debug level ensure the IIS User used in the Web Server configuration tab of the SEE configuration manager has Write permissions to the Webconsole folder.

See the methods below and use the method that matches your configuration:

Method 1: SQL Authentication:
If you are using "SQL Authentication" for the SEE Management Server, then the "NetworkService" account will need to have write access to the Webconsole folder.

Method 2: Windows Authentication:
If you are using "Windows Authentication", you will give this user access.
In this scenario, "Administrator" is the user being used, but whatever user is listed here, they need to have write access to the Webconsole folder.

This log file will provide additional information into what may be going on behind the scenes for various web routines for the SEE Management Server.

Once you are finished debugging, set the value back to "ERROR", instead of Debug.


 

 

Browser Developer Tools: If you are troubleshooting the new SEE 11.4 Web Console, if there are any issues with the web, use the browser Developer Tools to capture any error events.

Chrome: On the Web page, press the keystroke: CTRL + SHIFT + J

This will produce error events in the Console tab:

These can be helpful to provide to support if you are having issues displaying certain content on the page.

Each Web browser will have their own keystrokes.

Firefox: CTRL + SHIFT + I or F12

 


Section 4a of 8: Debug mode for SEEMS Configuration Manager (and other components)

If you would like to debug other aspects of the server that are related more to the application side of the server, such as the SEEMS Configuration Manager, you can enable Debug logging for these individual components.

To enable trace logging for these components, navigate to the following registry hive:

HKEY_LOCAL_MACHINE\Software\Symantec\Endpoint Encryption\Trace\TraceSinks\FileSink\

On "FileSink" tracedisabled can be set to 1 and tracelevel can be set to 2.
On "DBSink" tracedisabled can be set to 1 and tracelevel can be set to 2.

There are several keys listed here, but typically the only components you would want to review are the ADSync and SEEMS Configuration Manager components (for non-communications debug logging):

To enable Debug for the SEEMS Configuration Manager, follow the steps below:

Step 1: Click on "Symantec.Endpoint.Encryption.ConfigManager".

Step 2: In the right pane, double-click on "tracedisabled", and set the value to "0" .

Step 3: Double-click on "tracelevel" and set that value to "0" to enable Debug mode.

Step 4: Now with the SEEMS Configuration Manager debug enabled, recreate the failure and then look in the following location for the logging event:

"%ProgramFiles(x86)%\Symantec\Symantec Endpoint Encryption Management Server\Services\Logs"

 

Once you are finished, you can disable the debug mode by setting "tracedisabled" back to 1. 


Note for Logging Location: If you would like to change the location to where the logs are saved, in the same Symantec.Endpoint.Encryption.ConfigManager location, double click on the BaseDirectory value and change the log directory, for example "C:\logs".  If there is no "BaseDirectory" value listed, you can create a "String Value" entry, enter "BaseDirectory" for the Value Name, and "C:\Logs" for the path in the "Value Data" field.  

 

Section 4b of 8: Debug mode for ADSync & Configuration Manager (and other components)

If you would like to debug other aspects of the server that are related more to the application side of the server, such as the SEEMS Configuration Manager, you can enable Debug logging for these individual components.

 


Additional Components: The above steps are available to all of the rest of the components, so for each item, follow the same steps listed above, but for each component:

  • SEEMS Configuration Manager
    HKEY_LOCAL_MACHINE\Software\Symantec\Endpoint Encryption\Trace\TraceSinks\FileSink\Symantec.Endpoint.Encryption.ConfigManager
    Debug parameters:
    tracedisabled=0
    tracedisabled=0


  • Active Directory Synchronization Service
    HKEY_LOCAL_MACHINE\Software\Symantec\Endpoint Encryption\Trace\TraceSinks\FileSink\Symantec.Endpoint.Encryption.ADSync
    Debug parameters:
    tracedisabled=0
    tracedisabled=0

  • Novell Synchronization Service
    HKEY_LOCAL_MACHINE\Software\Symantec\Endpoint Encryption\Trace\TraceSinks\FileSink\Symantec.Endpoint.Encryption.NovellSync

  • Endpoint Encryption Users and Computers snap-in
    HKEY_LOCAL_MACHINE\Software\Symantec\Endpoint Encryption\Trace\TraceSinks\FileSink\GEMSGroupMagmtSnapIn

  • Endpoint Encryption Reports snap-in
    HKEY_LOCAL_MACHINE\Software\Symantec\Endpoint Encryption\Trace\TraceSinks\FileSink\GEMSReportsSnapIn

  • Endpoint Encryption Server Commands snap-in
    HKEY_LOCAL_MACHINE\Software\Symantec\Endpoint Encryption\Trace\TraceSinks\FileSink\ServerCmdsSnapIn


 


Section 5 of 8: Endpoint Encryption Management Server logs for Communications

If you are troubleshooting SEE Client Communications, see the following article for troubleshooting guidance:

155127 - Symantec Endpoint Encryption Client communication and SEE Client Creation troubleshooting steps

Enabling debug on the SEE Client as well as the article above is typically sufficient to troubleshoot client communication issues.  The reason you don't normally need to enable debug on the server side, is most issues are going to be observed when the SEE Client cannot reach the SEE Management Server, and in that case, no logging will appear in server logs if the client is unable to reach the server.

In the unlikely event that the SEE Client is reaching the server, but there are still failures, you can enable debug mode on the server and these steps can be followed to achieve that.



Before you make any changes to the registry, it is always a good idea to make a backup.

Step 1: Open the registry and navigate to the following location:

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Endpoint Encryption\Trace\TraceSinks\FileSink

 

Step 2: Right-click on the "FileSink" key, select New, and click on "Key", to create a new key value.

Step 3: This will allow you to enter a new name for the key--enter the following as the name:

Symantec.Endpoint.Encryption.GECommunicationWS

Step 4: Once you have created this new value, click on the new "Symantec.Endpoint.Encryption.GECommunicationWS" value you just created so it is highlighted.

Step 5: Now in the right pane, create a new "DWORD (32-bit) Value" entry and call it "LogLevel"

Step 6: Now double-click on "LogLevel" and give it a value of "2" to enable Trace Level Logging (Debug).

Step 7: Restart IIS by running "iisreset" via the command prompt as administrator.

Note: If you still don't get any logs, restart the IIS server itself by clicking on the Webserver in IIS itself "Manage server: Restart"

Then click on the "Symantec Endpoint Encryption Services" and click "Restart".

 

 

By default, the log files are created in the following location:

"%ProgramFiles(x86)%\Symantec\Symantec Endpoint Encryption Management Server\Services\Logs"

A new log file is created each day and the naming format is gecws_MM_DD_YYYY.log or gecws_DD_MM_YYYY.log depending on the SEE Management Server regional settings:

Recreate the communications event to capture additional logging and then review the logs.

When you are done, you can disable the logging level by changing the "LogLevel" value to either 0 or 1.  The value of 0 will disable all logging, and 1 will log only errors.

 


Important Note:
Write permission to the log directory must be given to the User/Identity that is running the "SymantecEndpointEncryptionAppPool" application pool in IIS.

The Identity can be found by opening the IIS Manager > Expand Server Name > Application Pools > Identity Column for SymantecEndpointEncryptionAppPool)


Reviewing the Trace Logging
When LogLevel is set to 1 only a single line is output to the log file for each client check-in unless there is an error. The single line does not include computer name. For example:
<--- Request end 16:30:25 GrpID=4, PlcyGrpID =4, PlcyID =4, PlcyStatus=PS_NO_CHANGE; Requested policies :FrRs <SUCCESS> {Log status: logging is enabled log level = LOG_ERR }

If LogLevel is set to 2, each successful check-in by a machine will generate over 20 lines of log entries. The first line will contain information such as the computer name and domain name. For example:
*** Trace ---> Request begin 16:53:35; CompID = {201E8B4C-6C2C-425E-9D6D-2C65743E8A55}, CompName = COMPUTER001, DnsdDomainName = example.com, geGuid = {201E8B4C-6C2C-425E-9D6D-2C65743E8A55}, adGuid = {ac0cb4cb-57e6-4fe1-9fcd-aa8e6bd29c74}, edGuid = null, os = 2

 

 

 


Section 6 of 8: SEE FileVault Debug Logging

Symantec Endpoint Encryption for FileVault has the following types of logs:

  • Daemon logs: com.symantec.encryption.SEEd

  • Agent logs: com.symantec.encryption.SEEAgent

You can view the Symantec Endpoint Encryption for FileVault logs in the following methods by logging as an admin user.

  • Using Console.app
    -Open Console.app

    -In the search field, do the following:
    for daemon logs, enter "com.symantec.encryption.SEEd"
    for Agent logs, enter "com.symantec.encryption.SEEAgent"

    TIP: Starting with Symantec Endpoint Encryption 11.3, the "log show" command is used, which will contain useful information above and beyond the normal SEEd and SEEAgent logs.
  • Open the Terminal for command line access.

    -Run the following command:
    log show --predicate 'subsystem == "<type of logs>"' --info --<time duration>
    where the type of logs are either Daemon logs or Agent logs, and time duration is in hours or days.
    For example, "1h" means logs for past 1 hour and "5d" means logs for past 5 days.

  • To output logs for the SEEd logging for the last hour, run the following command:
    log show --predicate 'subsystem == "com.symantec.encryption.SEEd"' --info --last 1h > /tmp/SEEd.log

  • To output logs for the SEEAgent logging for the last hour, run the following command:
    log show --predicate 'subsystem == "com.symantec.encryption.SEEAgent"' --info --last 1h > /tmp/SEEAgent.log


Legacy Logging for Endpoint Encryption for FileVault on Mac

In SEE 11.2.1 and previous, check the following log locations on Symantec Endpoint Encryption for FileVault management, although it is recommended to upgrade to SEE 11.3 and obtain the logs using "log show" as listed above
~/Library/Logs/SEEagent/SEEAgent.log
/Library/Logs/SEEd/SEEd.log

It is also useful to sometimes gather the following files:
/Library/Application Support/Symantec Endpoint Encryption/see.keychain
/Library/Application Support/Symantec Endpoint Encryption/see.dat

 

 


Section 7 of 8: SEE Removable Media Encryption Client Side Logging

The Endpoint Encryption Client installer does not create a registry key for managing the SEE-RME debug logs by default. You need to enable debug logging for Removable Media Encryption.

To enable debug logging for Removable Media Encryption, create a DWORD value named DebugLevel in the the following registry location:

HKEY_CURRENT_USER\Software\Encryption Anywhere\Removable Storage\Client Database\User Configuration

The DebugLevel value has the following valid values:

  • 1: specifies that only errors are logged
  • 2: specifies that errors and warnings are logged
  • 3: debug level logging

Once you have created the DebugLevel entry, you view the log entries using the Microsoft DebugView utility.


Section 8 of 8: Event Logs from Affected Machines

It is often useful to capture the event logs from affected machines that we are trying to debug.  The following commands are useful and an easy way to dump the event logs for easy analysis on the encryption side:

 

wevtutil epl System C:\SYSTEM-MACHINE-NAME-HERE.evtx
wevtutil epl Application C:\APPLICATION-MACHINE-NAME-HERE.evtx

 

Additional Information

EPG-31261 - SEEMS Configuration Logging

Pending Reboot Detection
It is recommended that systems be rebooted just prior to the install/upgrade of Symantec Endpoint Encryption 11 to ensure the best success as pending reboots can cause the install/upgrade process to fail.

For more information on Pending Reboots and how to disable this, see the following article:

214719 - Symantec Endpoint Encryption Pending Reboot Feature

269909 - Admin Log and Client Events for Symantec Endpoint Encryption Management Server (SEE Management Server)

195857 - Symantec Endpoint Encryption Database Maintenance - Cleanup old machines and client data