Explanation about agent logging and troubleshooting
Technical Articles ID:
KB51517
Last Modified: 11/4/2020
Last Modified: 11/4/2020
Environment
McAfee Host Intrusion Prevention (Host IPS) 8.0
For details of Host IPS supported platforms, see KB70778.
For details of Host IPS supported platforms, see KB70778.
Summary
This article addresses the following topics:
- Understanding Agent log files
- Enabling Agent logging
- Logging of Rules and Exceptions
- Engine Debug messages
- Firewall Component log files
Understanding Host Intrusion Prevention log files
Host Intrusion Prevention (Host IPS) component main log file:
Host Intrusion Prevention (Host IPS) component main log file:
- The primary IPS log file used by the Host IPS 8.0 systems is the HipShield.log. This file is located in
c:\Documents And Settings\All Users/Application Data\McAfee\Host Intrusion Prevention\HipShield.log .
- When Host IPS is running on Windows Vista or later platforms, the file is located in
c:\Program Data\McAfee\Host Intrusion Prevention\HipShield.log . TheHipShield log file grows to 128 MB and rotates with one backup. The registry keyslog_rotate_count andlog_rotate_size_kb control the size and the number of rotatedHipShield.log files. (See the Log Rotation section for further details.)
Enabling Agent logging
All Host IPS logging is configurable from the Host IPS General/Client UI/Troubleshooting policy settings in ePolicy Orchestrator.
Logging can also be controlled locally through the Host IPS agent tray client manager, or configured directly in the registry.
-
Double-click on the Host IPS tray icon and unlock the Host IPS client console. You need an administrator or time-based password to unlock the console.
-
Open HelpTroubleshooting.
-
Select the required logging settings:
- Check Enable Logging for IPS and Firewall logging.
- Select All for IPS and Firewall logging.
These locally configured settings remain in effect until the client console is locked/stopped.
Also, a policy enforcement from ePO overrides the local policy (if the client console is locked/stopped).
NOTE: The Agent starts logging immediately with no restart required.
Sample HipShield output########### Session: Wed Nov 16 13:06:08 2005 ###########
11-16 13:06:08 [02092] INFO: **** Scan range 785af000-785b4520
11-16 13:06:09 [02092] WARNING: **** MatchCount = 1
11-16 13:06:09 [02092] INFO: entercept Agent Startup.
11-16 13:06:11 [02092] INFO: Tcl Set Web Cmds On.
11-16 13:06:11 [02092] INFO: using buffer for error messages
11-16 13:06:11 [02092] INFO: Shielding: Initialized, agent type = 5
11-16 13:06:11 [02092] INFO: Hid Load
11-16 13:06:11 [02092] INFO: In install modules new: C:Program FilesMcAfeeHost Intrusion PreventionHidSys.sys old: C:WINNTsystem32driversHidSys.sys
11-16 13:06:11 [02092] ERROR: HID: create service failed for hidsys, LastError = 0x000003e5
11-16 13:06:11 [02092] DEBUG: SI Service want state 1, service hidsys
11-16 13:06:11 [02092] INFO: In install modules new: C:Program FilesMcAfeeHost Intrusion Preventionkevlar_api_hook_list.dat old: C:WINNTsystem32kevlar_api_hook_list.dat
11-16 13:06:11 [02092] INFO: In install modules new: C:Program FilesMcAfeeHost Intrusion PreventionHidApiStub.dll old: C:WINNTsystem32hidapistub.dll
11-16 13:06:11 [02092] INFO: In install modules new: C:Program FilesMcAfeeHost Intrusion Preventionhidapi.dll old: C:WINNTsystem32hidapi.dll
11-16 13:06:12 [02092] INFO: In install modules new: C:Program FilesMcAfeeHost Intrusion Preventionkev_api_client.dll old: C:WINNTsystem32kev_api_client.dll
11-16 13:06:12 [02092] INFO: In install modules new: C:Program FilesMcAfeeHost Intrusion Preventionkev_api_client.dll old: C:WINNTsystem32kev_api_client.dll
11-16 13:06:12 [02092] INFO: In install modules new: C:Program FilesMcAfeeHost Intrusion Preventionkev_api_client.dll old: C:WINNTsystem32kev_api_client.dll
11-16 13:06:12 [02092] INFO: In install modules new: C:Program FilesMcAfeeHost Intrusion Preventionkev_api_client.dll old: C:WINNTsystem32kev_api_clit.dll
11-16 13:06:12 [02092] INFO: In install modules new: C:Program FilesMcAfeeHost Intrusion Preventionkev_api_client.dll old: C:WINNTsystem32kev_api_client.dll
11-16 13:06:13 [02092] DEBUG: SI Service want state 4, service hidsys
11-16 13:06:13 [02092] INFO: SI Service, Desired = 4, Current = 4
11-16 13:06:13 [02092] INFO: Starting EventDispatch thread
11-16 13:06:13 [00504] INFO: Listener: Enter...
11-16 13:06:13 [02092] INFO: Process Name Thread Started
11-16 13:06:13 [02092] DEBUG: HID: System is Win2000 Service Pack 4 Build 2195
11-16 13:06:13 [01924] INFO: GWD-Entering GetProcessNameThread Thread...
11-16 13:06:14 [02092] INFO: **** Scan range 785af000-785b4520
11-16 13:06:17 [02092] WARNING: **** MatchCount = 1
11-16 13:06:17 [02092] DEBUG: HID: ^^^ Logon Address Found at: 0x785af9e8
11-16 13:06:17 [02092] INFO: IIS - Load
11-16 13:06:17 [02092] INFO: IIS - Wait for state 2 - Active, current state is 2 - Active
11-16 13:06:17 [02092] INFO: Scrutinizer initialized successfully
11-16 13:06:17 [02092] INFO: ApiHook: Me 1696 Smss 152
11-16 13:06:18 [02092] INFO: New Process: Pid=152 Name:SystemRootSystem32smss.exe
11-08 17:22:30 [02132] INFO: IIS - Start
11-08 17:22:30 [02132] INFO: IIS - Wait for state 2 - Active, current state is 2 - Active
11-08 17:22:31 [02132] INFO: Scrutinizer started successfully (ACTIVATED status)
11-08 17:22:31 [02132] INFO: AgentNT:control_activate
11-08 17:22:31 [02132] INFO: Hid Load
11-08 17:22:32 [02132] INFO: Called HipsContentOpen
11-08 17:22:32 [02132] INFO: New Audit Mode = False
11-08 17:22:32 [02132] DEBUG: Setting Debug Types to: 0x00000000, Force = 1
11-08 17:22:32 [02132] INFO: New Trusted Apps, count =69
11-08 17:22:32 [02132] INFO: ProcessAppMonitorList count=42
11-08 17:22:32 [02132] INFO: ApiHook: Me 2104 Smss 152
11-08 17:22:33 [02132] INFO: InstallApiHook - Injecting into process 228 SERVICES.EXE
11-08 17:22:33 [02132] INFO: Hooking 228
11-08 17:22:45 [02132] INFO: Processing Buffer EnterceptMgmtServer.scn
11-08 17:22:45 [02132] DEBUG: si_reg|exists|HKLMSoftwareEnterceptEnterceptConsole|
11-08 17:22:45 [02132] INFO: result -->0<
11-08 17:22:49 [02132] DEBUG: signature=111 level=2, log=True
11-08 17:22:49 [02132] DEBUG: signature=112 level=3, log=True
11-08 17:22:49 [02132] DEBUG: signature=113 level=3, log=True
11-08 17:22:49 [02132] DEBUG: signature=131 level=2, log=True
HipShield Format
A run of the Host IPS component begins with a banner statement in the format below:
########### Session: Wed Nov 16 13:06:08 2005 ###########
It identifies the build run and the date/time stamp of the session. Each line of the HipShield output shows a date/time stamp, followed by an indication whether this data is informational, debugging, or error.
The data contained in the
Key areas of interest
-
Lines that begin with In install modules new describe file copy actions that are part of the start of the Host IPS component. Failure to copy these files prevents the Host IPS component from starting.
-
A line that begins with Scrutinizer initialized successfully indicates that the Host IPS component has been successfully loaded through the initialization of the Scrutinizer. The initialization of the Scrutinizer depends on the above-mentioned file copy actions.
-
A line that begins with New Process: Pid= indicates that the Host IPS component can monitor process creation.
-
A line that begins with IIS - Start indicates that the Host IPS component can monitor IIS.
-
A line that begins with Scrutinizer started successfully (ACTIVATED status) indicates that the Scrutinizer has successfully started.
-
A line that begins with Hooking xxx indicates that process hooking is proceeding. The number xxx indicates the PID (process ID) of the process being hooked.
-
A series of lines that begin with Processing Buffer xxx.scn report the results of the Scanner processing of scan file xxx.scn, where xxx is a name like
EnterceptMgmtServer , as shown above. Errors in the processing of scan files are reported here. -
Lines in the format signature=111 level=2, log=True report that an individual signature has been loaded. The signature ID and level are included with an indication of whether logging is enabled for this signature.
Host IPS Component Logging of Rules and Exceptions
Shield.db and except.db are created in the Agent directory only when you enable debugging. These files contain a dump of the rules and exceptions that are sent to the kernel after the
Host IPS Component HTTP Engine Log File/Engine Debug messages
CAUTION: This article contains information about opening or modifying the registry.
- The following information is intended for System Administrators. Registry modifications are irreversible and could cause system failure if done incorrectly.
- Before proceeding, Technical Support strongly recommends that you back up your registry and understand the restore process. For more information, see: http://support.microsoft.com/kb/256986.
- Do not run a REG file that is not confirmed to be a genuine registry import file.
To generate debug messages from the HTTP engines:
-
Click Start, Run, type
regedit , then click OK. -
Navigate to and select the registry key below:
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\HIP\Engines\ISAPIControl]
- In the right pane, verify that a String Value named
DebugFile exists. If it does not, right-click a blank space, select New, String Value, and name the new stringDebugFile . - Right-click the
DebugFile value and select Modify. -
In the Value data field, type the full path to the file where the engine writes debug messages.
NOTE: The file referenced in the path (for example,c:\http.txt ) must exist for the debug messages to be successfully written.
After this key is created, debug logging to the specified file will begin immediately.
You can also set this entry to the special value debug. In this case, the debug messages are written usingDbgPrint and can be viewed usingDbgView . It is useful for IIS6 because IIS6 prevents a server from writing to locations outside of its directories. But, if permissions are configured for a server to write to locations outside of its directories, it still does so.
-
Stop and Restart the IIS service for this debug setting to take effect.
Sample File
The following is a sample of the debug output of the HTTP engine. TheDbgView program adds the first three columns. So, they are not present if you direct the output to a file. The debug lines from the HTTP filter have a prefix of either S or E:
The following is a sample of the debug output of the HTTP engine. The
- S denotes that the message came from the
Stub part of the filter. - E means that the message came from the
Engine part.
Stub messages document the loading and unloading of the Engine and the handling of the registry control codes.
Engine messages usually display the data that is sent to the Kernel for matching. If the message from the Engine has the keyword ENG , the data contained in the square brackets [ ] is the data used for the instance section. The section name precedes the brackets and the length of the data comes after the brackets. Other messages from the Engine usually display data as it is acquired from the HTTP request.
Informational comments are bolded in the following example. Useful messages within the log file usually have ** around them. You can view the log files and search for these messages with asterisks to aid in troubleshooting.
The
The stub checks control value and loads the engine
The Engine receives a thread attach message
The Engine receives the read raw data message from IIS
The Engine receives the URL map message from IIS
NOTE: This part is where the instance is built.
The method section is set with the data GET
This area contains data for the raw data section. It might span several lines because it might contain line feeds
IPS Debug Log files
The IPS service log file is controlled locally from the Help/Troubleshooting submenu on the client manager. You can select different levels of logging, depending on the issue you are troubleshooting.
You can also set logging locally by adding theDWORD 'debug_enabled' value in the HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\HIP registry hive.
The IPS service log file is controlled locally from the Help/Troubleshooting submenu on the client manager. You can select different levels of logging, depending on the issue you are troubleshooting.
You can also set logging locally by adding the
- A value of decimal 1 turns on verbose debug logging.
- A value of decimal 0 disables logging.
Firewall Component Log files
The firewall service log file is controlled locally from the Help/Troubleshooting submenu on the client manager. You can select different levels of logging, depending on the issue you are troubleshooting.
NOTE: When you collect data for incidents, McAfee strongly recommends that you create the
The following table summarizes information about several log files:
Name
|
Description
|
After enabling logging, when does logging to file start?
|
Required
|
|
Main service log
|
Immediately when set by client console
|
Always
|
|
CMA plug-in log
|
Restart of the common framework or computer reboot is required.
|
Always
|
|
Tray log
|
New user session is required.
|
Always
|
|
Client UI log
|
Manager restart is required.
|
Always
|
|
ClientControl utility log
|
Upon next run of
|
If the problem is with the ClientControl utility
|
|
Stateful Firewall Log
|
Immediately after
|
Only when instructed by a developer
|
The FireSvc log files grow until they reach the default maximum size of 100 MB. If you require larger or smaller log files, you can control the size by adding the following registry value:
CAUTION: This article contains information about opening or modifying the registry.
CAUTION: This article contains information about opening or modifying the registry.
- The following information is intended for System Administrators. Registry modifications are irreversible and could cause system failure if done incorrectly.
- Before proceeding, Technical Support strongly recommends that you back up your registry and understand the restore process. For more information, see: http://support.microsoft.com/kb/256986.
- Do not run a REG file that is not confirmed to be a genuine registry import file.
-
Click Start, Run, type
regedit , then click OK. -
Navigate to and select the following registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\HIP]
-
In the right pane, right-click a blank space and select New,
Dword Value . -
Name the new value
MaxFwLogSize . -
Right-click
MaxFwLogSize and select Modify. -
Change the Value data to the required size of the
FireSvc log. This value is entered in kilobytes. -
Click OK, then close the registry editor.
NOTE: The MaxFwLogSizeFireSVC ,FireEpo ,FireTray , FireUI logs. Creating and assigning a value to the above registry key sets the maximum size of all log files.
Log Rotation
The log file rotation is controlled by the DWORD entries
The value log_rotate_count is the number of backup log files to preserve. The DWORD entry log_rotate_size_kb is the approximate size in KB of a backup log file, where 0 means log rotation is disabled.
By setting
When the
Example
When the log file
The default for the count is 1 and the default for the size is 128. These values are only read when the
Related Information
KB72869 - How to enable Host Intrusion Prevention debug logging
KB53490 - Host Intrusion Prevention logging for non-Windows clients
Host Intrusion Prevention 8.0 Product Guide
KB53490 - Host Intrusion Prevention logging for non-Windows clients
Host Intrusion Prevention 8.0 Product Guide