How to enable extended debugging on an Critical Systems Protection (SCSP) agent for troubleshooting purposes
Last Updated October 13, 2011
The issue being experienced is not generating enough information in the logs or are not extensive enough to find root cause and you want to enable debugging in the SCSP agent to see more information for the IPS and or IDS modules.
Depending on the situation you may need to have more extensive IDS and or IPS logging.
In either or both cases the first step is to stop the SCSP agent services on machine to make the necessary changes.
To enable IDS debugging:
Locate the file called scspagent/IDS/system/LocalAgent.ini and open it with an text editor
Windows default: C:\Program Files\Symantec\Critical System Protection\Agent\IDS\system\LocalAgent.ini
Enable the additional logging in the "Log Debugs" section of the file by removing "#" from the start of the line and changing the values at the end of the line from "=0" to "=1". Depending upon need you may enable just the lines that you are concerned with.
For example to enable full IDS debugging the "Log Debugs" section would be the following:
Once you have enabled the desired debugging start the SCSP agent services to utilize the new settings.
Remember when you are done to reverse this process to prevent any over logging and space issues due to the extended logging. However in most cases customers have ran this consistently for months with no issues and is dependent on the resources at play in your environment.
If you are either working with support or proactively gathering data to open a case, you will want to reproduce the issue up to three times on interactive processes if possible to create a pattern. In some cases such as services you will need to run until the issue presents itself.
Once the issue has been logged, gather the data with a getagent report. Below is a Knowledge Base article showing multiple methods to gather the data