Use the following information to enable Host IPS debug logging on Windows, Linux, and Solaris operating systems.
NOTE: Host IPS Debug logs are written to the following directories (depending on the operating system):
- Windows Vista (and later): C:\ProgramData\McAfee\Host Intrusion Prevention\
- Linux/Solaris: /opt/McAfee/hip/log
Contents:
Windows operating systems (Options 1 and 2)
Option 1 - Enable debug logging via an ePolicy Orchestrator (ePO) policy (recommended)
NOTE: If you want to duplicate your current Host IPS Client UI policy, modify the duplicate policy to enable Host IPS debug logging, and then assign the duplicate policy to a single system.
- Log on to the ePO console.
- Click Menu, Policy, Policy Catalog.
- Select Host Intrusion Prevention x.x.x General in the Product drop-down list, and Client UI (Windows) in the Category drop-down list.
- Click Edit Settings under the Actions column for the policy.
- Click the Troubleshooting tab.
- Set both Firewall and IPS logging entries to Debug.
- Select Log Security Violations in the IPS logging field.
- Click Save.
- Perform an ePO agent wakeup call to the system.
- Open the Host IPS Client UI via the McAfee Agent Tray Icon on the client.
NOTE: You can also access the executable from the following path:
<Program Files>\McAfee\Host Intrusion Prevention\McAfeeFire.exe
- Verify that Host IPS debugging is enabled (open the Host IPS ClientUI and click HELP, TROUBLESHOOTING):
Verify that IPS and Firewall logging is set to Debug and that Log Security Violations is enabled. You can also check the following registry values:
32-bit:
HKLM\Software\McAfee\HIP\Config\Settings\
64-bit:
HKLM\Software\Wow6432Node\McAfee\HIP\Config\Settings\
"Client_LogLevelFw"=dword:00000001 (1)
"Client_LogLevelIps"=dword:00000004 (4)
"ClientUI_IpsLogViolations"=dword:00000001 (1)
NOTE: You can also enable debug logging via the local Client UI (without modifying the ePO policy) by following only Steps 10 and 11 above. Logging might be disabled automatically if you close or lock the Host IPS Client UI. We recommend that you enable debug logging only via the policy while troubleshooting an issue, and then disable it when you're finished.
Back to Contents
Option 2 - Enable Host IPS debug logging via the local registry using
Regedit.exe
Restarting the Host IPS service isn't required. See below for details, and also see
KB51517 - Explanation about agent logging and troubleshooting for additional debug options. The steps below are useful if debug logging is required to investigate Host IPS policy enforcement issues (for example, if debug logging isn't correctly being enabled via policy).
CAUTION: This article contains information about opening or modifying the registry.
- The following information is intended for System Administrators. Registry modifications are irreversible and could cause system failure if done incorrectly.
- Before proceeding, Technical Support strongly recommends that you back up your registry and understand the restore process. For more information, see the Microsoft Windows registry information for advanced users article.
- Do not run a REG file that is not confirmed to be a genuine registry import file.
- To enable debug logging via Registry:
- Disable the Host IPS module, or if at HIPS 8.0 Update 9 or later, disable the Enable Self Protection option.
- Create a DWORD 'debug_enabled' value under the applicable registry location below:
32-bit:
HKLM\Software\McAfee\HIP\
64-bit:
HKLM\Software\Wow6432Node\McAfee\HIP\
A value of decimal 1 turns on verbose debug logging.
A value of decimal 0 disables logging.
- After troubleshooting the issue, disable debug logging via Registry by performing the following steps:
- Disable the Host IPS module, or if at HIPS 8.0 Update 9 or later, disable the Enable Self Protection option.
- Remove the DWORD debug_enabled value.
Back to Contents
Linux/Solaris operating systems
NOTE: Host IPS for Linux debug logging must be modified via local commands shown below; debug logging can't be enabled and disabled via ePO policy.
- Log on to the system with root access.
- Type the following commands, pressing Enter after each one:
/opt/McAfee/hip/hipts logging on
/opt/McAfee/hip/hipts message all:on
NOTE: You must type the Host IPS Client UI password after each command. The password is set by the General, Client UI policy, or you can try the default password abcde12345.
- To verify that debug logging has been enabled, type the following command and press Enter:
/opt/McAfee/hip/hipts status
NOTES:
- Logging must be set to ON.
- All Message types must be set to ON.
Back to Contents