Use the following information to enable Host IPS debug logging on Windows, Linux, and Solaris operating systems.

NOTE: Host IPS Debug logs are written to the following directories (depending on the operating system):

• Windows Vista (and later): C:\ProgramData\McAfee\Host Intrusion Prevention\
• Linux/Solaris: /opt/McAfee/hip/log

Contents:

• Enable Host IPS (Windows) debug logging via policy
• Enable Host IPS (Windows) debug logging via registry
• Enable Host IPS (Linux and Solaris) debug logging via hipts command

Windows operating systems (Options 1 and 2)

Option 1 - Enable debug logging via an ePolicy Orchestrator (ePO) policy (recommended)

NOTE: If you want to duplicate your current Host IPS Client UI policy, modify the duplicate policy to enable Host IPS debug logging, and then assign the duplicate policy to a single system.

1. Log on to the ePO console.
2. Click Menu, Policy, Policy Catalog.
3. Select Host Intrusion Prevention x.x.x General in the Product drop-down list, and Client UI (Windows) in the Category drop-down list.
4. Click Edit Settings under the Actions column for the policy.
5. Click the Troubleshooting tab.
6. Set both Firewall and IPS logging entries to Debug.
7. Select Log Security Violations in the IPS logging field.
8. Click Save.
9. Perform an ePO agent wakeup call to the system.
10. Open the Host IPS Client UI via the McAfee Agent Tray Icon on the client.
    
    NOTE: You can also access the executable from the following path:
    
    <Program Files>\McAfee\Host Intrusion Prevention\McAfeeFire.exe
     
11. Verify that Host IPS debugging is enabled (open the Host IPS ClientUI and click HELP, TROUBLESHOOTING):
    
    Verify that IPS and Firewall logging is set to Debug and that Log Security Violations is enabled. You can also check the following registry values:

NOTE: You can also enable debug logging via the local Client UI (without modifying the ePO policy) by following only Steps 10 and 11 above. Logging might be disabled automatically if you close or lock the Host IPS Client UI. We recommend that you enable debug logging only via the policy while troubleshooting an issue, and then disable it when you're finished.

Back to Contents

Option 2 - Enable Host IPS debug logging via the local registry using Regedit.exe 
Restarting the Host IPS service isn't required. See below for details, and also see KB51517 - Explanation about agent logging and troubleshooting for additional debug options. The steps below are useful if debug logging is required to investigate Host IPS policy enforcement issues (for example, if debug logging isn't correctly being enabled via policy).

CAUTION: This article contains information about opening or modifying the registry.

• The following information is intended for System Administrators. Registry modifications are irreversible and could cause system failure if done incorrectly.
• Before proceeding, Technical Support strongly recommends that you back up your registry and understand the restore process. For more information, see the Microsoft Windows registry information for advanced users article.
• Do not run a REG file that is not confirmed to be a genuine registry import file.

1. To enable debug logging via Registry:
   1. Disable the Host IPS module, or if at HIPS 8.0 Update 9 or later, disable the Enable Self Protection option.
   2. Create a DWORD 'debug_enabled' value under the applicable registry location below:

2. After troubleshooting the issue, disable debug logging via Registry by performing the following steps:
   1. Disable the Host IPS module, or if at HIPS 8.0 Update 9 or later, disable the Enable Self Protection option.
   2. Remove the DWORD debug_enabled value.

Back to Contents

Linux/Solaris operating systems

NOTE: Host IPS for Linux debug logging must be modified via local commands shown below; debug logging can't be enabled and disabled via ePO policy.

1. Log on to the system with root access.
2. Type the following commands, pressing Enter after each one:
   
   /opt/McAfee/hip/hipts logging on
   /opt/McAfee/hip/hipts message all:on
   
   NOTE: You must type the Host IPS Client UI password after each command. The password is set by the General, Client UI policy, or you can try the default password abcde12345.

3. To verify that debug logging has been enabled, type the following command and press Enter:
   
   /opt/McAfee/hip/hipts status
   
   NOTES:
   • Logging must be set to ON.
   • All Message types must be set to ON.

Back to Contents