Loading...

Knowledge Center


How to enable debug logging for McAfee Agent to troubleshoot Windows
Technical Articles ID:   KB82170
Last Modified:  5/8/2019
Rated:


Environment

McAfee Agent (MA) 5.x

Microsoft Windows supported operating systems

For details of MA supported environments, see KB51573.

Summary

Technical Support might request debug level log files when troubleshooting an issue. In addition, Technical Support might request McTray debug logging for issues related to the McAfee Tray Icon, or an event trace log (ETL) for an issue with upgrading or uninstalling MA.
 
The registry setting on Windows clients controls the MA log levels. Debug logging produces more log entries, if there is an error. Debug logging allows for more granularity when diagnosing an issue. Because debug logging generates so many more entries, you must increase the size of the logs to capture the additional information. Use the advice in this article to define a suitable log size to contain all information and ensure that the logs are written to drives with sufficient space. A larger log file size is better than a smaller one to ensure the relevant data is captured. If the log is too small, you might not capture the relevant data.

MA 5.x differs from previous versions in the following ways:
  • Specific logs that are in use
  • Location of the logs
  • Logging configuration
 
Log descriptions
MA uses the following logs:
  • macmnsvc_<hostname>.log
    The macmnsvc.exe process hosts services including peer-to-peer, relay, SuperAgent, agent wake-up, and SuperAgent wake-up. The macmnsvc_<hostname>.log captures logging related to these functions. In addition, it captures the logging related to message bus broker and operations performed by message bus architecture-based McAfee managed products, for example, Threat Intelligence Exchange and Data Exchange Layer.
     
  • macompatsvc_<hostname>.log
    The macompatsvc.exe service is a compatibility service for masvc. This service is responsible for compatibility of the MA with plug-in and Local Procedure Call (LPC) based managed products. The macompatsvc_<hostname>.log captures the operations performed on plug-in and LPC-based managed products.
     
  • masvc_<hostname>.log
    The masvc.exe service is responsible for property collection, policy enforcement, task scheduling, agent-server communication, and trigger update sessions. The masvc_<hostname>.log captures logging related to these operations.
     
  • McScript.log (not new, carried over from MA 4.x)
    When masvc.exe triggers an update, McScript.exe and McScript_InUser.exe are invoked and responsible for the updater (install/uninstall/update) session. The McScript.log captures detail related to the update session, for example, the repository from which the file is downloaded, file download status, install and uninstall script execution, and update session status details.
     
  • marepomirror_<hostname>.log
    The marepomirror.exe process is responsible for repository mirroring. When the mirror task is invoked, marepomirror_<hostname>.log captures all operations related to mirroring.
Log locations
The logs are stored in the following locations:
  • Windows - C:\ProgramData\McAfee\Common Framework\logs
  • Non-Windows - /var/McAfee/agent/logs
Guidance for enabling debug logging
You must enable the appropriate debug logging before you reproduce an issue. If you enable debug logging for an issue that cannot be reproduced, it does not provide adequate information for troubleshooting. If you are investigating client and server issues, you must enable debug logging on both the client and server before you reproduce the problem. Both are required to successfully capture the additional information required to help investigate the issue.

Solution

To set the MA log level
There are four possible log levels:
  • Disabled - Designates that logging is disabled.
  • Info - Designates informational messages that highlight the progress of the application at coarse-grained level.
  • Debug - Designates fine-grained informational events that are most useful to debug an application.
  • Trace - Designates finer-grained informational events than Debug. This log level is not applicable to McScript.log because it does not have trace logs.
There are two ways to set the log level:
  • Option 1: Set the log level (Debug or Info) in the MA policy using the ePolicy Orchestrator (ePO) console
    If Enable detail logging is set, the log level is set to Debug for all agent logs. If Enable detail logging is not set, the log level is set to Info for all agent logs. You can control the log size and rotation only through the MA policy. They cannot be changed on the local system.
     
    1. Log on to the ePO console.
    2. Click Menu, Policy, Policy Catalog.
    3. Select McAfee Agent from the Product drop-down list.
    4. Select General from the Category drop-down list.
    5. Click the policy that you want to change.
    6. Click the Logging tab.
    7. Select the option Enable detail logging.
    8. If needed, change the Log file size limit (MB) and Roll over count options.
    9. Click Save.
    10. To receive the policy change, send an agent wake-up call to the client.
       
  • Option 2: Set the log level (Disabled, Info, Debug, or Trace) using the maconfig tool from the command line
    The maconfig settings override the settings in the MA policy and are applicable until you restart the MA service. After you restart the MA service, the agent honors the log level set in the MA policy.
     
    Open an administrative command prompt on the local system and use maconfig.exe to enable debug logging:
     
    maconfig.exe -enforce -loglevel n
     
    Example:
     
    maconfig -enforce -loglevel 3
     
    Where n equals one of the following:
0 - Logging is disabled.
1 - Log level is set to Info.
2 - Log level is set to Debug.
3 - Log level is set to Trace.

To set the McScript debug log level, follow these steps:
CAUTION: This article contains information about opening or modifying the registry.
  • The following information is intended for System Administrators. Registry modifications are irreversible and could cause system failure if done incorrectly.
  • Before proceeding, Technical Support strongly recommends that you back up your registry and understand the restore process. For more information, see: http://support.microsoft.com/kb/256986.
  • Do not run a REG file that is not confirmed to be a genuine registry import file.
  1. Press Windows+R, type regedit, and press Enter.
  2. Navigate to the following key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Network Associates\TVD\Shared Components\Framework\

    NOTE:
    If the system is 32-bit, the path does not include Wow6432Node.
     
  3. Right-click Framework and select New, DWORD 32-bit Value.
  4. In the Name field, type the following:

    dwDebugScript
     
  5. Right-click dwDebugScript and select Modify.
  6. In the Value Data field, type 2 and click OK.

    The log writes the entries as X to confirm that debug is enabled.

Solution

To enable McTray debug logging, create debug logs for McTray.exe when troubleshooting issues related to the McAfee Tray Icon.
 
NOTE: You must temporarily disable self-protection to make the following changes. You can control self-protection only through the MA policy. It cannot be changed on the local system. Re-enable self-protection after you finish troubleshooting.
  1. Log on to the ePO console.
  2. Click Menu, Policy, Policy Catalog.
  3. Select McAfee Agent from the Product drop-down list.
  4. Select General from the Category drop-down list.
  5. Click the policy that you want to change.
  6. Click the General tab.
  7. Deselect the option Enable self-protection (Windows only).
  8. Click Save.
  9. To receive the policy change, send an agent wake-up call to the client.
  10. Reboot the client system.
To enable debug logging, follow these steps:
CAUTION: This article contains information about opening or modifying the registry.
  • The following information is intended for System Administrators. Registry modifications are irreversible and could cause system failure if done incorrectly.
  • Before proceeding, Technical Support strongly recommends that you back up your registry and understand the restore process. For more information, see: http://support.microsoft.com/kb/256986.
  • Do not run a REG file that is not confirmed to be a genuine registry import file.
  1. Press Windows+R, type regedit, and click OK.
  2. Navigate to the following key:

    64-bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\McAfee\Win32_GUI_Support_DLL]
    32-bit: [HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\Win32_GUI_Support_DLL]
     
  3. Double-click the debug_tracing string value and set Value data to 1.
  4. Close the registry editor.
  5. Restart the McTray.exe process.

NOTES:

  • Debug logging continues until you change the value back to 0. Technical Support recommends that you change the value back after you have collected sufficient logs.
  • Because McTray.exe runs under the logged-on user's profile, it also stores the debug logs under the logged-on user's profile. The Minimum Escalation Requirements (MER) tool does not collect these logs; you must obtain them manually.

McTray log is located in:

  • McAfee Agent 5.5.1 or later:
    C:\Users\<username>\AppData\Local\Temp\McAfeeLogs
     
  • McAfee Agent 5.0.x: 
    C:\Users\<username>\AppData\Roaming\McAfee\Common Framework\DB\Support DLL\DebugTraceFile 

NOTE: A separate log file is created for each new instance of McTray, with up to 20 historical files, plus one file for the currently active log. Each log file is dynamically pruned at runtime to 2 MB in length, until debug logging is turned off.

Solution

To collect an event trace log (ETL)
For an issue with upgrading or uninstalling McAfee Agent, collect an ETL:
  1. Download and extract the file ETLTrace*.zip from the Attachment section of this article.
  2. Press Windows+R, type cmd, and click OK.
  3. Navigate to the directory to which you extracted ETLTrace*.zip.
  4. Run the following command:
     
    EtlTrace.exe -Start
     
  5. Reproduce the issue.
  6. Return to the command prompt and run the following command: EtlTrace.exe -Stop
  7. If you need to collect binary file versions, run the following command: EtlTrace.exe -GetVer
  8. Gather the following files:
    • EtlTrace.log
    • Syscore.etl

Attachment

EtlTrace_18.9.zip
83K • < 1 minute @ broadband


Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.