Advanced debug log options in SymDiag for Endpoint Protection clients
Last Updated April 29, 2019
Learn how to use advanced options in SymDiag to collect debug logging data from a Symantec Endpoint Protection (SEP) or Symantec Endpoint Protection Cloud (SEPC) clients.
SEB SBE (Small Business Edition)
This document describes the Symantec Diagnostic (SymDiag) tool’s advanced debug logging settings for Symantec Endpoint Protection. These steps help ensure sufficient, timely, and accurate logs are collected.
Configure and enable debug logs. Set log levels and max log file sizes. In most cases use the default settings.
Generate log data. Reproduce the issue and allow the logs files to populate.
Collect the logs. SymDiag puts the populated logs into an .sdbz file for upload to Symantec.
Allow sufficient time to generate log data after reproducing the issue.
Capturing good data the first time will reduce the need to go back for more. If an issue is easily reproduced, it may not take long to generate logs. An intermittent problem may take more time. For best results and fastest case resolution, make a list of the steps taken to reproduce the issue. These can be added under “Issue” on the customer information page of SymDiag.
The Advanced Debug logging dialog displays the current Debug Log settings as configured in the registry. Please remember that for SEP CLOUD the advanced options will not be available as a button, however, you can reproduce the issue and the necessary logs will be generated normally, not being necessary to make any changes.
The advanced options are:
Vpdebug logging Vpdebug controls the logging for the Antivirus and Antispyware component of SEP.
SMC debug logging SEP client debug logs are useful for troubleshooting client to SEPM communication problems and client functionality problems; this option can also be used for troubleshooting issues with a Group Update Provider (GUP).
Sylink debug logging Sylink logs are for troubleshooting, communication problems and definitions update issues.
WPP debug logging (WPP) Windows software trace preprocessor is a preprocessor to implement software tracing in Windows drivers and applications. WPP logs are useful when troubleshooting driver level conflicts or problems with the SEP client.
To reach the advanced settings, check “Endpoint Protection Client” in the Debug Logging section and then click “Advanced...”.
Vpdebug, SMC debug, and Sylink debug logging
Vpdebug logging, SMC debug logging, and Sylink debug logging are configured in this window. The settings shown here are the default settings. These will be chosen if you check "Endpoint Protection Client" and "Next" without using the 'Advanced...' button.
For Vpdebug logging, the LX ALL setting will gather the most information.
For SMC debug logging, The 0 (Debug) setting will gather the most information. Default log file size is 50MB. Only change Delta debug level on the advice of a support engineer.
For Sylink debug logging, default is the same as 3. Setting 4 is more verbose. Also, only use Sylink_VolatileOpState* settings on the advice of a support engineer. (Note: In the latest version of SymDiag it is no longer necessary to manually stop and start smc, SymDiag will perform this task)
TSE debug logging is enabled by default, but can be disabled.
WPP debug logging
For WPP debug logging, there are two choices, “WPP” and “WPP reboot”.
If an issue is easily reproduced, choose “WPP”, configure desired settings, reproduce the issue, allow adequate time to generate log data then choose next to collect log data.
If an issue occurs at startup, use “WPP reboot” to configure desired settings (default settings are shown here), reproduce the issue, allow adequate time to generate log data then choose next to collect log data.
Currently, no configuration settings are available for this feature. Maximum file size is set to 50MB. Once a log reaches this size, however, a new log is created. This allows for longer issue reproduction times. The current setting for logging level is 4.
Note: If SymDiag is run with the command-line -sepwpp, the original method for WPP Reboot is avaliable. The current default method (see above) has significantly improved the depth of WPP logging data collected, so this older, no-longer-default method should only be used in special circumstances. General settings are Max duration, MaxFileSizeMB, MaxFiles. Duration is the length of time (in milliseconds) that WPP logging will be done. MaxFileSize is the maximum size (in MB) of the log file. MaxFiles is the number of old log files to keep before starting a new log. Only change these settings on the advice of a support engineer.