Loading...

Knowledge Center


How to enable Host Intrusion Prevention 8.0 debug logging
Technical Articles ID:   KB72869
Last Modified:  3/20/2019
Rated:


Environment

McAfee Host Intrusion Prevention (Host IPS) 8.0

Summary

Use the following information to enable Host IPS debug logging on Windows, Linux, and Solaris operating systems.

NOTE: Host IPS Debug logs are written to the following directories (depending on the operating system):
  • Windows Vista (and later): C:\ProgramData\McAfee\Host Intrusion Prevention\
  • Linux/Solaris: /opt/McAfee/hip/log

Contents:

Solution

Windows operating systems (Options 1 and 2)

Option 1 - Enable debug logging via an ePolicy Orchestrator (ePO) policy (recommended)

NOTE: If you want to duplicate your current Host IPS Client UI policy, modify the duplicate policy to enable Host IPS debug logging, then assign the duplicate policy to a single system.
  1. Log on to the ePO console.
  2. Click Menu, Policy, Policy Catalog.
  3. Select Host Intrusion Prevention x.x.x General in the Product drop-down list, and Client UI (Windows) in the Category drop-down list.
  4. Click Edit Settings under the Actions column for the policy.
  5. Click the Troubleshooting tab.
  6. Set both Firewall and IPS logging entries to Debug.
  7. Select Log Security Violations in IPS logging field.
  8. Click Save.
  9. Perform an ePO agent wakeup call to the system.
  10. Open the Host IPS Client UI via the McAfee Agent Tray Icon on the client.

    NOTE: You can also access the executable from the following path:

    <Program Files>\McAfee\Host Intrusion Prevention\McAfeeFire.exe
     
  11. Verify that Host IPS debugging is enabled (open the Host IPS ClientUI and click HELP, TROUBLESHOOTING):

    Verify that IPS and Firewall logging is set to Debug and that Log Security Violations is enabled. You can also check the following registry values:
32-bit: HKLM\Software\McAfee\HIP\Config\Settings\
64-bit: HKLM\Software\Wow6432Node\McAfee\HIP\Config\Settings\
 
"Client_LogLevelFw"=dword:00000001 (1)
"Client_LogLevelIps"=dword:00000004 (4)
"ClientUI_IpsLogViolations"=dword:00000001 (1)

NOTE: You can also enable debug logging via the local Client UI (without modifying the ePO policy) by following only Steps 10 and 11 above. Logging might be disabled automatically if you close or lock the Host IPS Client UI. McAfee recommends that you enable debug logging only via the policy while troubleshooting an issue, and then disable it when you are finished.

Back to Contents


Option 2 - Enable Host IPS debug logging via the local registry using Regedit.exe 
Restarting the Host IPS service is not required. See below for details, and also see KB51517 for additional debug options. The steps below are useful if debug logging is required to investigate Host IPS policy enforcement issues (for example, if debug logging is not correctly being enabled via policy).

CAUTION: This article contains information about opening or modifying the registry.
  • The following information is intended for System Administrators. Registry modifications are irreversible and could cause system failure if done incorrectly.
  • Before proceeding, Technical Support strongly recommends that you back up your registry and understand the restore process. For more information, see: http://support.microsoft.com/kb/256986.
  • Do not run a REG file that is not confirmed to be a genuine registry import file.
  1. To enable debug logging via Registry:
    1. Disable the Host IPS module, or, if at HIPS 8.0 Update 9 or later, disable the Enable Self Protection option.
    2. Create a DWORD 'debug_enabled' value under the applicable registry location below:
    32-bit: HKLM\Software\McAfee\HIP\
    64-bit: HKLM\Software\Wow6432Node\McAfee\HIP\
 
    A value of decimal 1 turns on verbose debug logging.
    A value of decimal 0 disables logging.
  1. After troubleshooting the issue, disable debug logging via Registry by performing the following steps:
    1. Disable the Host IPS module OR, if at HIPS 8.0 Update 9 or later, disable the Enable Self Protection option.
    2. Remove the DWORD debug_enabled value.
Back to Contents

Solution

Linux/Solaris operating systems

NOTE: Host IPS for Linux debug logging must be modified via local commands shown below; debug logging cannot be enabled and disabled via ePO policy.
  1. Log on to the system with root access.
  2. Type the following commands, pressing ENTER after each one:

    /opt/McAfee/hip/hipts logging on
    /opt/McAfee/hip/hipts message all:on

    NOTE: You must type the Host IPS Client UI password after each command. The password is set by the General, Client UI policy, or you can try the default password abcde12345.
  1. To verify that debug logging has been enabled, type the following command and press ENTER:

    /opt/McAfee/hip/hipts status

    NOTES:
    • Logging must be set to ON.
    • All Message types must be set to ON.

Back to Contents

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.