Host Intrusion Prevention 8.0 agent logging and troubleshooting on Microsoft Windows

Technical Articles ID: KB51517
Last Modified: 9/29/2020

Environment

McAfee Host Intrusion Prevention (Host IPS) 8.0

For details of Host IPS supported platforms, see KB70778.

Summary

This article addresses the following topics:

Understanding Agent log files
Enabling Agent logging
Logging of Rules and Exceptions
Engine Debug messages
Firewall Component log files

Solution

Understanding Host Intrusion Prevention log files
Host Intrusion Prevention (Host IPS) component main log file:

The primary IPS log file used by the Host IPS 8.0 systems is the HipShield.log. This file is located in c:\Documents And Settings\All Users/Application Data\McAfee\Host Intrusion Prevention\HipShield.log.
When Host IPS is running on Windows Vista or later platforms, the file is located in c:\Program Data\McAfee\Host Intrusion Prevention\HipShield.log. The HipShield log file grows to 128 MB and rotates with one backup. The registry keys log_rotate_count and log_rotate_size_kb control the size and the number of rotated HipShield.log files. (See the Log Rotation section for further details.)

Enabling Agent logging
All Host IPS logging is configurable from the Host IPS General/Client UI/Troubleshooting policy settings in ePolicy Orchestrator.

Logging can also be controlled locally through the Host IPS agent tray client manager, or configured directly in the registry.

Double-click on the Host IPS tray icon and unlock the Host IPS client console. You need an administrator or time-based password to unlock the console.
Open HelpTroubleshooting.
Select the required logging settings:
1. Check Enable Logging for IPS and Firewall logging.
2. Select All for IPS and Firewall logging.
  
  These locally configured settings remain in effect until the client console is locked/stopped.
  Also, a policy enforcement from ePO overrides the local policy (if the client console is locked/stopped).

NOTE: The Agent starts logging immediately with no restart required.

Sample HipShield output

########### Build: Nov 10 2005, 15:33:51 6.0.0.001 ###########
########### Session: Wed Nov 16 13:06:08 2005 ###########
11-16 13:06:08 [02092] INFO: **** Scan range 785af000-785b4520
11-16 13:06:09 [02092] WARNING: **** MatchCount = 1
11-16 13:06:09 [02092] INFO: entercept Agent Startup.
11-16 13:06:11 [02092] INFO: Tcl Set Web Cmds On.
11-16 13:06:11 [02092] INFO: using buffer for error messages
11-16 13:06:11 [02092] INFO: Shielding: Initialized, agent type = 5
11-16 13:06:11 [02092] INFO: Hid Load
11-16 13:06:11 [02092] INFO: In install modules new: C:Program FilesMcAfeeHost Intrusion PreventionHidSys.sys old: C:WINNTsystem32driversHidSys.sys
11-16 13:06:11 [02092] ERROR: HID: create service failed for hidsys, LastError = 0x000003e5
11-16 13:06:11 [02092] DEBUG: SI Service want state 1, service hidsys
11-16 13:06:11 [02092] INFO: In install modules new: C:Program FilesMcAfeeHost Intrusion Preventionkevlar_api_hook_list.dat old: C:WINNTsystem32kevlar_api_hook_list.dat
11-16 13:06:11 [02092] INFO: In install modules new: C:Program FilesMcAfeeHost Intrusion PreventionHidApiStub.dll old: C:WINNTsystem32hidapistub.dll
11-16 13:06:11 [02092] INFO: In install modules new: C:Program FilesMcAfeeHost Intrusion Preventionhidapi.dll old: C:WINNTsystem32hidapi.dll
11-16 13:06:12 [02092] INFO: In install modules new: C:Program FilesMcAfeeHost Intrusion Preventionkev_api_client.dll old: C:WINNTsystem32kev_api_client.dll
11-16 13:06:12 [02092] INFO: In install modules new: C:Program FilesMcAfeeHost Intrusion Preventionkev_api_client.dll old: C:WINNTsystem32kev_api_client.dll
11-16 13:06:12 [02092] INFO: In install modules new: C:Program FilesMcAfeeHost Intrusion Preventionkev_api_client.dll old: C:WINNTsystem32kev_api_client.dll
11-16 13:06:12 [02092] INFO: In install modules new: C:Program FilesMcAfeeHost Intrusion Preventionkev_api_client.dll old: C:WINNTsystem32kev_api_clit.dll
11-16 13:06:12 [02092] INFO: In install modules new: C:Program FilesMcAfeeHost Intrusion Preventionkev_api_client.dll old: C:WINNTsystem32kev_api_client.dll
11-16 13:06:13 [02092] DEBUG: SI Service want state 4, service hidsys
11-16 13:06:13 [02092] INFO: SI Service, Desired = 4, Current = 4
11-16 13:06:13 [02092] INFO: Starting EventDispatch thread
11-16 13:06:13 [00504] INFO: Listener: Enter...
11-16 13:06:13 [02092] INFO: Process Name Thread Started
11-16 13:06:13 [02092] DEBUG: HID: System is Win2000 Service Pack 4 Build 2195
11-16 13:06:13 [01924] INFO: GWD-Entering GetProcessNameThread Thread...
11-16 13:06:14 [02092] INFO: **** Scan range 785af000-785b4520
11-16 13:06:17 [02092] WARNING: **** MatchCount = 1
11-16 13:06:17 [02092] DEBUG: HID: ^^^ Logon Address Found at: 0x785af9e8
11-16 13:06:17 [02092] INFO: IIS - Load
11-16 13:06:17 [02092] INFO: IIS - Wait for state 2 - Active, current state is 2 - Active
11-16 13:06:17 [02092] INFO: Scrutinizer initialized successfully
11-16 13:06:17 [02092] INFO: ApiHook: Me 1696 Smss 152
11-16 13:06:18 [02092] INFO: New Process: Pid=152 Name:SystemRootSystem32smss.exe
11-08 17:22:30 [02132] INFO: IIS - Start
11-08 17:22:30 [02132] INFO: IIS - Wait for state 2 - Active, current state is 2 - Active
11-08 17:22:31 [02132] INFO: Scrutinizer started successfully (ACTIVATED status)
11-08 17:22:31 [02132] INFO: AgentNT:control_activate
11-08 17:22:31 [02132] INFO: Hid Load
11-08 17:22:32 [02132] INFO: Called HipsContentOpen
11-08 17:22:32 [02132] INFO: New Audit Mode = False
11-08 17:22:32 [02132] DEBUG: Setting Debug Types to: 0x00000000, Force = 1
11-08 17:22:32 [02132] INFO: New Trusted Apps, count =69
11-08 17:22:32 [02132] INFO: ProcessAppMonitorList count=42
11-08 17:22:32 [02132] INFO: ApiHook: Me 2104 Smss 152
11-08 17:22:33 [02132] INFO: InstallApiHook - Injecting into process 228 SERVICES.EXE
11-08 17:22:33 [02132] INFO: Hooking 228
11-08 17:22:45 [02132] INFO: Processing Buffer EnterceptMgmtServer.scn
11-08 17:22:45 [02132] DEBUG: si_reg|exists|HKLMSoftwareEnterceptEnterceptConsole|
11-08 17:22:45 [02132] INFO: result -->0<
11-08 17:22:49 [02132] DEBUG: signature=111 level=2, log=True
11-08 17:22:49 [02132] DEBUG: signature=112 level=3, log=True
11-08 17:22:49 [02132] DEBUG: signature=113 level=3, log=True
11-08 17:22:49 [02132] DEBUG: signature=131 level=2, log=True

HipShield Format

A run of the Host IPS component begins with a banner statement in the format below:

########## Build: Nov 10 2005, 15:33:51 6.0.0.001 ###########
########### Session: Wed Nov 16 13:06:08 2005 ###########

It identifies the build run and the date/time stamp of the session. Each line of the HipShield output shows a date/time stamp, followed by an indication whether this data is informational, debugging, or error.

The data contained in the HipShield is ad-hoc, and differs between parts of the Host IPS component.

Key areas of interest

Lines that begin with In install modules new describe file copy actions that are part of the start of the Host IPS component. Failure to copy these files prevents the Host IPS component from starting.
A line that begins with Scrutinizer initialized successfully indicates that the Host IPS component has been successfully loaded through the initialization of the Scrutinizer. The initialization of the Scrutinizer depends on the above-mentioned file copy actions.
A line that begins with New Process: Pid= indicates that the Host IPS component can monitor process creation.
A line that begins with IIS - Start indicates that the Host IPS component can monitor IIS.
A line that begins with Scrutinizer started successfully (ACTIVATED status) indicates that the Scrutinizer has successfully started.
A line that begins with Hooking xxx indicates that process hooking is proceeding. The number xxx indicates the PID (process ID) of the process being hooked.
A series of lines that begin with Processing Buffer xxx.scn report the results of the Scanner processing of scan file xxx.scn, where xxx is a name like EnterceptMgmtServer, as shown above. Errors in the processing of scan files are reported here.
Lines in the format signature=111 level=2, log=True report that an individual signature has been loaded. The signature ID and level are included with an indication of whether logging is enabled for this signature.

Host IPS Component Logging of Rules and Exceptions
Shield.db and except.db are created in the Agent directory only when you enable debugging. These files contain a dump of the rules and exceptions that are sent to the kernel after the AgentNT.dll has processed the content.

Host IPS Component HTTP Engine Log File/Engine Debug messages

Debugging
CAUTION: This article contains information about opening or modifying the registry.

The following information is intended for System Administrators. Registry modifications are irreversible and could cause system failure if done incorrectly.
Before proceeding, Technical Support strongly recommends that you back up your registry and understand the restore process. For more information, see: http://support.microsoft.com/kb/256986.
Do not run a REG file that is not confirmed to be a genuine registry import file.

To generate debug messages from the HTTP engines:

Click Start, Run, type regedit, then click OK.
Navigate to and select the registry key below:

[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\HIP\Engines\ISAPIControl]
In the right pane, verify that a String Value named DebugFile exists. If it does not, right-click a blank space, select New, String Value, and name the new string DebugFile.
Right-click the DebugFile value and select Modify.
In the Value data field, type the full path to the file where the engine writes debug messages.

NOTE: The file referenced in the path (for example, c:\http.txt) must exist for the debug messages to be successfully written.

After this key is created, debug logging to the specified file will begin immediately.

You can also set this entry to the special value debug. In this case, the debug messages are written using DbgPrint and can be viewed using DbgView. It is useful for IIS6 because IIS6 prevents a server from writing to locations outside of its directories. But, if permissions are configured for a server to write to locations outside of its directories, it still does so.
Stop and Restart the IIS service for this debug setting to take effect.

Sample File
The following is a sample of the debug output of the HTTP engine. The DbgView program adds the first three columns. So, they are not present if you direct the output to a file. The debug lines from the HTTP filter have a prefix of either S or E:

S denotes that the message came from the Stub part of the filter.
E means that the message came from the Engine part.

Stub messages document the loading and unloading of the Engine and the handling of the registry control codes.

Engine messages usually display the data that is sent to the Kernel for matching. If the message from the Engine has the keyword ENG, the data contained in the square brackets [ ] is the data used for the instance section. The section name precedes the brackets and the length of the data comes after the brackets. Other messages from the Engine usually display data as it is acquired from the HTTP request.

Informational comments are bolded in the following example. Useful messages within the log file usually have ** around them. You can view the log files and search for these messages with asterisks to aid in troubleshooting.

The stub receives a process attach message

00000003 0.07487320 [960] S DllMain PA

00000008 0.08012443 [960] S Using IIS5

The stub checks control value and loads the engine

00000009 0.10581931 [960] S Enter Control Thread

00000010 0.10606264 [960] S Enter GetRegState 1

00000011 0.10648895 [960] S Enter GetRegState 2

00000012 0.10954912 [960] S ld eng[C:\Program Files\McAfee\Host Intrusion Prevention\eng\isapi\IsapiEngine.dll]

00000013 0.18102832 [960] E dbg Device Id = 248

00000014 0.18148564 [960] E *** dll PA Heap [0x03140000] ***

00000018 0.18396416 [960] S Enter GetRegState 1

00000019 0.18427621 [960] S Enter GetRegState 2

00000020 0.18478800 [960] S Enter GetRegState 1

00000021 0.18501569 [960] S Enter GetRegState 2

The Engine receives a thread attach message

00000022 2.44738650 [960] E ** dll TA **

00000023 2.44831181 [960] E ** dll TA **

The Engine receives the read raw data message from IIS

00000038 54.64829636 [960] E *MSG* READ RAW DATA size 245

00000039 54.64912033 [960] E bf s:12288 u:245 l:12287 c:245

00000040 54.64957047 [960] E *MSG* PREPROC HEADERS

00000041 54.65096664 [960] E Hdr Size = 245

The Engine receives the URL map message from IIS

NOTE: This part is where the instance is built.

00000042 54.66551590 [960] E *MSG* URL MAP

00000043 54.66579819 [960] E HeapAlloc 4096

00000044 54.66617203 [960] E url[/]

00000045 54.66640091 [960] E ENG url [/] 1

00000046 54.66664505 [960] E ** Could not get query**

00000047 54.66683197 [960] E ENG raw url [/] 1

00000048 54.66717911 [960] E Content Len = 0

The method section is set with the data GET

00000049 54.66740036 [960] E ENG method [GET] *3

00000050 54.66758728 [960] E ** Could not get remote user section **

00000051 54.66777420 [960] E ENG source [127.0.0.1] *9

00000052 54.66912842 [960] E ENG Web Server Type [Microsoft-IIS/5.0] *17

00000053 54.66936493 [960] E PhysPath [c:\inetpub\wwwroot\]

00000054 54.66957092 [960] E ENG local file [c:\inetpub\wwwroot\] 19

00000055 54.67095566 [960] E Server [127.0.0.1]

00000056 54.67122650 [960] E ENG server [:127.0.0.1:80] 13

This area contains data for the raw data section. It might span several lines because it might contain line feeds

00000057 54.67142105 [960] E ENG raw data [GET / HTTP/1.1

00000058 54.67142105 [960] Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*

00000059 54.67142105 [960] Accept-Language: en-us

00000060 54.67142105 [960] Accept-Encoding: gzip, deflate

00000061 54.67142105 [960] User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

00000062 54.67142105 [960] Host: 127.0.0.1

00000063 54.67142105 [960] Connection: Keep-Alive

00000064 54.67142105 [960]

00000065 54.67142105 [960] ] 245

00000066 54.67332077 [960] E HeapFree

00000067 54.94361496 [960] E *MSG* URL MAP

00000068 54.94395447 [960] E HeapAlloc 4096

00000069 54.94415283 [960] E url[/iisstart.asp]

00000070 54.94435120 [960] E ENG url [/iisstart.asp] 13

00000071 54.94467163 [960] E ** Could not get query**

00000072 54.94486618 [960] E ENG raw url [/] 1

00000073 54.94505310 [960] E Content Len = 0

00000074 54.94523621 [960] E ENG method [GET] *3

00000075 54.94554901 [960] E ** Could not get remote user section **

00000076 54.94576263 [960] E ENG source [127.0.0.1] *9

00000077 54.94595718 [960] E ENG Web Server Type [Microsoft-IIS/5.0] *17

00000078 54.94614029 [960] E PhysPath [c:\inetpub\wwwroot\iisstart.asp]

00000079 54.94632339 [960] E ENG local file [c:\inetpub\wwwroot\iisstart.asp] 31

00000080 54.94709396 [960] E Server [127.0.0.1]

00000081 54.94731522 [960] E ENG server [:127.0.0.1:80] 13

00000082 54.94771194 [960] E ENG raw data [GET / HTTP/1.1

00000083 54.94771194 [960] Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*

00000084 54.94771194 [960] Accept-Language: en-us

00000085 54.94771194 [960] Accept-Encoding: gzip, deflate

00000086 54.94771194 [960] User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

00000087 54.94771194 [960] Host: 127.0.0.1

00000088 54.94771194 [960] Connection: Keep-Alive

00000089 54.94771194 [960]

00000090 54.94771194 [960] ] 245

00000091 54.94828796 [960] E HeapFree

00000098 58.97898483 [960] E ** dll TA **

00000099 61.27407455 [960] E *MSG* END_OF_REQUEST

00000100 61.45449829 [960] E *MSG* READ RAW DATA size 314

00000101 61.45475006 [960] E bf s:12288 u:314 l:12287 c:314

00000102 61.45503616 [960] E *MSG* PREPROC HEADERS

00000103 61.45529938 [960] E Hdr Size = 314

00000104 61.45590591 [960] E *MSG* URL MAP

00000105 61.45611954 [960] E HeapAlloc 4096

00000106 61.45637512 [960] E url[/localstart.asp]

00000107 61.45656967 [960] E ENG url [/localstart.asp] 15

00000108 61.45656967 [960] E ** Could not get query**

00000109 61.45755386 [960] E ENG raw url [/localstart.asp] 15

00000110 61.45776749 [960] E Content Len = 0

00000111 61.45796585 [960] E ENG method [GET] *3

00000112 61.45822144 [960] E ** Could not get remote user section **

00000113 61.45842743 [960] E ENG source [127.0.0.1] *9

00000114 61.45862198 [960] E ENG Web Server Type [Microsoft-IIS/5.0] *17

00000115 61.45880890 [960] E PhysPath [c:\inetpub\wwwroot\localstart.asp]

00000116 61.45900345 [960] E ENG local file [c:\inetpub\wwwroot\localstart.asp] 33

00000117 61.45924377 [960] E Server [127.0.0.1]

00000118 61.45943451 [960] E ENG server [:127.0.0.1:80] 13

00000119 61.45963287 [960] E ENG raw data [GET /localstart.asp HTTP/1.1

00000120 61.45963287 [960] Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*

00000121 61.45963287 [960] Accept-Language: en-us

00000122 61.45963287 [960] Accept-Encoding: gzip, deflate00000123 61.45963287 [960] User-Agent: Mozilla/4.0

compatible; MSIE 6.0; Windows NT 5.0)

00000124 61.45963287 [960] Host: 127.0.0.1

00000125 61.45963287 [960] Connection: Keep-Alive

00000126 61.45963287 [960] Cookie: ASPSESSIONIDQATTSDRC=KAMDFDBBIMKEMDJECMMGIPMI

00000127 61.45963287 [960]

00000128 61.45963287 [960] ] 314

00000129 61.46013641 [960] E HeapFree

00000130 61.60787964 [960] E *MSG* END_OF_REQUEST

00000131 61.61059570 [960] E *MSG* END_OF_NET_SESSION

00000132 61.61059570 [960] .

00000133 61.61059570 [960] .

00000134 83.77558136 [960] E *MSG* READ RAW DATA size 313

00000135 83.77619171 [960] E bf s:12288 u:313 l:12287 c:313

00000136 83.77647400 [960] E *MSG* PREPROC HEADERS

00000137 83.77668762 [960] E Hdr Size = 313

00000138 83.77697754 [960] E *MSG* URL MAP

00000139 83.77729034 [960] E HeapAlloc 4096

00000140 83.77750397 [960] E url[/myloc]

00000141 83.77913666 [960] E ENG url [/myloc] 6

00000142 83.77944183 [960] E query[myquery]

00000143 83.77964783 [960] E ENG query [myquery] 7

00000144 83.77984619 [960] E ENG raw url [/myloc?myquery] 14

00000145 83.78018188 [960] E Content Len = 0

00000146 83.78041077 [960] E ENG method [GET] *3

00000147 83.78059387 [960] E ** Could not get remote user section **

00000148 83.78079224 [960] E ENG source [127.0.0.1] *9

00000149 83.78106689 [960] E ENG Web Server Type [Microsoft-IIS/5.0] *17

00000150 83.78128815 [960] E PhysPath [c:\inetpub\wwwroot\myloc]

00000151 83.78147888 [960] E ENG local file [c:\inetpub\wwwroot\myloc] 24

00000152 83.78167725 [960] E Server [127.0.0.1]

00000153 83.78187561 [960] E ENG server [:127.0.0.1:80] 13

00000154 83.78221130 [960] E ENG raw data [GET /myloc?myquery HTTP/1.1

00000155 83.78221130 [960] Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*

00000156 83.78221130 [960] Accept-Language: en-us

00000157 83.78221130 [960] Accept-Encoding: gzip, deflate

00000158 83.78221130 [960] User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

00000159 83.78221130 [960] Host: 127.0.0.1

00000160 83.78221130 [960] Connection: Keep-Alive

00000161 83.78221130 [960] Cookie: ASPSESSIONIDQATTSDRC=KAMDFDBBIMKEMDJECMMGIPMI

00000162 83.78221130 [960]

00000163 83.78221130 [960] ] 313

00000164 83.78269196 [960] E HeapFree

00000165 83.82407379 [960] E *MSG* END_OF_REQUEST

00000166 83.82532501 [960] E *MSG* END_OF_NET_SESSION

00000167 83.82532501 [960] .

00000168 83.82532501 [960] .

IPS Debug Log files
The IPS service log file is controlled locally from the Help/Troubleshooting submenu on the client manager. You can select different levels of logging, depending on the issue you are troubleshooting.

You can also set logging locally by adding the DWORD 'debug_enabled' value in the HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\HIP registry hive.

A value of decimal 1 turns on verbose debug logging.
A value of decimal 0 disables logging.

The use of the local registry key to enable debug logging overrides any policy sent from the ePolicy Orchestrator server. It allows you to enable local debugging without changing the policy for that client.

Firewall Component Log files
The firewall service log file is controlled locally from the Help/Troubleshooting submenu on the client manager. You can select different levels of logging, depending on the issue you are troubleshooting.

NOTE: When you collect data for incidents, McAfee strongly recommends that you create the debug_enabled registry value and set it to 1. This registry value logs all IPS/NPS signature triggers to the HIPShield.log regardless of the Log Status setting for the Signature Properties. Ensure that you turn off the system, delete old log files, restart the system, and then reproduce the issue. It minimizes the size of the log files. Zip all log files and include the ZIP file in your service request.

The following table summarizes information about several log files:

Name	Description	After enabling logging, when does logging to file start?	Required
FireSvc.log	Main service log	Immediately when set by client console	Always
FireEpo.log	CMA plug-in log	Restart of the common framework or computer reboot is required.	Always
FireTray.log	Tray log	New user session is required.	Always
FireUI.log	Client UI log	Manager restart is required.	Always
ClientControl.log	ClientControl utility log	Upon next run of ClientControl	If the problem is with the ClientControl utility
Tracemon Log file	Stateful Firewall Log	Immediately after tracemon installation	Only when instructed by a developer

The FireSvc log files grow until they reach the default maximum size of 100 MB. If you require larger or smaller log files, you can control the size by adding the following registry value:

CAUTION: This article contains information about opening or modifying the registry.

The following information is intended for System Administrators. Registry modifications are irreversible and could cause system failure if done incorrectly.
Before proceeding, Technical Support strongly recommends that you back up your registry and understand the restore process. For more information, see: http://support.microsoft.com/kb/256986.
Do not run a REG file that is not confirmed to be a genuine registry import file.

Click Start, Run, type regedit, then click OK.
Navigate to and select the following registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\HIP]
In the right pane, right-click a blank space and select New, Dword Value.
Name the new value MaxFwLogSize.
Right-click MaxFwLogSize and select Modify.
Change the Value data to the required size of the FireSvc log. This value is entered in kilobytes.
Click OK, then close the registry editor.

NOTE: The MaxFwLogSize registry key controls the size of the FireSVC, FireEpo, FireTray, and FireUI logs. Creating and assigning a value to the above registry key sets the maximum size of all log files.

Log Rotation
The log file rotation is controlled by the DWORD entries log_rotate_size_kb and log_rotate_count in the Windows registry at:

[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\HIP]

The value log_rotate_count is the number of backup log files to preserve. The DWORD entry log_rotate_size_kb is the approximate size in KB of a backup log file, where 0 means log rotation is disabled.

By setting log_rotate_size_kb to a non-zero value, no log file gets permitted to grow substantially beyond the specified size (in kilobytes).

When the log_rotate_size_kb specified size has been exceeded (with the log_rotate_count set to a non-zero value), the file is closed and renamed with the suffix 1. If a file with that name exists, the suffix increments by one, with the highest number specified in the variable log_rotate_count. When the specified number of backup files is reached, the oldest files are deleted.

Example
When the log file HipShield.log reaches the threshold size, it is renamed as HipShield.log.1. If a file with that name exists, the new file is named as HipShield.log.2.

log_rotate_size_kb=500 - This variable controls how large any of the log files might grow in KB before being rotated. The default value of 0 means that there is no log file rotation.
log_rotate_count=2 - This variable controls how many rotated log files are kept. If log_rotate_size_kb is set to 0, rotation is disabled.

The default for the count is 1 and the default for the size is 128. These values are only read when the FireSvc starts.

Related Information

KB72869 - How to enable Host Intrusion Prevention debug logging
KB53490 - Host Intrusion Prevention logging for non-Windows clients
Host Intrusion Prevention 8.0 Product Guide

Affected Products

Diagnostic Data Collection
Host Intrusion Prevention 8.0
Troubleshooting

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.

Knowledge Center

Host Intrusion Prevention 8.0 agent logging and troubleshooting on Microsoft Windows

Environment

Summary

Solution

Related Information

Affected Products

Glossary of Technical Terms

Title

Title

Knowledge Center

Host Intrusion Prevention 8.0 agent logging and troubleshooting on Microsoft Windows

Environment

Summary

Solution

Related Information

Affected Products

Glossary of Technical Terms

Choose your region

Title

Title