Troubleshooting using Log Files
Below are some common issues associated with ePO and their related log files. Click on the plus sign (+) next to each issue to see its related log files.
Agent Log Files Overview
There are four common types of issues seen when troubleshooting various agent issues and failures:
Agent Installation
Agent-to-Server Communication
Policy Enforcement
Policy Updating
Review the appropriate log files for the version of Trellix Agent running in the customer environment, as shown in the chart below.
Agent Troubleshooting Log Files
The following tables provide troubleshooting details on how to read log files related to basic agent installation issues and failures.
Agent Installation Issues / Failures
Required Log Files
Default Location
Description
How to read this log
MfeAgent.MSI<DATE>.log
%temp%\McAfeeLogs
Contains details about the MSI installation of the agent.
Search from the top down for the phrase value 2 or value 3.
If found, a failure message will be just above this location.
FrmInst_<SystemName>.log
%temp%\McAfeeLogs
Generated when the FrmInst.exe is used to install the Trellix Agent. This file contains:
Informational messages
Progress messages
Failure messages if installation fails
Scroll to the bottom of the log and work up for any instance of failed or error.
Agent-to-Server Communication Issues / Failures
For information on troubleshooting agent-server communication failures in Trellix Agent 5.x, see KB90603(opens in a new tab).
Required Log Files
Default Location
Description
How to read this log
Masvc_<SystemName>.log
ProgramData\McAfee\Agent\log
Primary agent log for MA 5.x
Generated on client systems when the server deploys an agent to them. This file contains details related to:
Agent-to-server communication
Policy enforcement
Other agent tasks
Start from the bottom and search upward for the phrase: Agent started performing ASCI.
Then follow the log activity downward to review details of the agent to server communication attempt or any failures.
Policy Enforcement / Policy Updating Issues / Failures
Required Log Files
Default Location
Description
How to read this log
Masvc_<SystemName>.log
ProgramData\McAfee\Agent\ log
Primary agent log for TA 5.x
Generated on client systems when the server deploys an agent to them. This file contains details related to:
Agent-to-server communication
Policy enforcement
Other agent tasks
Start from the bottom and search upward for the phrase: Agent started performing ASCI.
Then follow the log activity downward to review details of the policy enforcement attempt or any failures.
Macompatsvc _<systemname>.log
ProgramData\McAfee\Agent\ log
Primary log on local system for TA 5.x
Contains details about policy updating, enforcement, and task information. Detailed logging can be enabled in the TA \ General policy under the Logging tab in ePO. Note: Detailed logging information for policy updating and product deployment can be found in McScript.log in the same folder location here.
Scroll to the bottom and look upward for any of the following for general details on policy and/or task enforcement on the local system:
Task
Policy
Enforcement
Installer Log Files Overview
The next main type of logs collected to help troubleshoot issues are associated to the ePO Installer.
The following chart provides an overview of the various types of Installer specific log files needed for troubleshooting issues and failures with:
ePO Installations and Upgrades
Agent Handler Installations and Upgrades
Troubleshooting Installation / Upgrade Issues
For installer issues, a MER or zip containing the entire McAfeeLogs folder is required to troubleshoot these types of issues
Steps for Troubleshooting Installation/Upgrade Failures
For detailed installer logging, run the installer in debug mode using DEBUGOUTPUT =2 (highest output level needed for troubleshooting).
At the time of failure, the installer will pause.
Grab all logs at this point of time. IMPORTANT: During an installation failure, the installer will copy all necessary files/folders to the userās EPO5XX-TROUBLESHOOT folder, which is located in the %temp%\McAfeeLogs folder by default. This is so that the MERTool can find them properly. If the MERTool is not run under the same user account that the failed installation was run under, it will not get the install logs.
Examine the install logs at the time of installation failure to locate probable causes.
Once the time is established for error, locate the orion.log, then examine it to gather additional failure information.
Notes:
Log Level 8 debug logging settings (KB56207(opens in a new tab)) are applicable to the Server.log, ePOApSvr.log, and Eventparser.log files.
See KB52369 (opens in a new tab)for details on enabling debug logging for the Orion.log.
ePO 5.x Installer Log Files and Locations
The installer log files contain details about the ePO installation process including:
Actions taken by specific components
Administrator services used by the server
Success and failure of critical processes
The ePO installer logs can be found on the logged-on userās temp directory, under a folder called McAfeeLogs. Click Start, Run, type in %temp%\ McAfeeLogs into the blank field, and click OK.
In the McAfeeLogs folder:
ePO5xx-CommonSetup.Log
ePO5xx-Install-MSI.logĀ§ePO5xx-Debug.Ini
ePO5xx-Error.Ini
All files in the following folders:
McAfeeLogs\EPO5XX-Troubleshoot\MFS
McAfeeLogs\EPO5XX-Troubleshoot\Mercury Framework
McAfeeLogs\EPO5XX-Troubleshoot\OutputFiles
Installation / Upgrade Troubleshooting Log Files
The following files are used to help troubleshoot ePO installation & upgrade issues:
EPO5xx-Install-MSI.log
epo-install.log
epoST.err
core-install.log
core-upgrade.log
EPO5xx-Checkin-Failure.log
<ExtensionFileName>.err
EPO5xx-CommonSetup.log
<ExtensionFileName>.cmd
Required Log Files
Default Location
Description
How to read this log
EPO5xx- Install-MSI.log
%temp%\McAfeeLogs
Example: EPO5xx-Install-MSI.log
The primary ePO installation log. Contains installation details such as installer actions and installation failures.
TIP: Start from the top and search downward for the phrase value 3 or value 2:
The failure message should display above the value message.
Ifvalue entry does not display, no error has been recorded.
epo- install.log
%temp%\McAfeeLogs\ePO5xx-Troubleshoot\ MercuryFramework
Example: epo-install.log
Created when the ePO installer calls the ePO ANT installer, which copies and updates the Apache .conf files with the correct paths and ports.
TIP 1: Look for 'BUILD SUCCESSFUL at the end; This task rarely fails and is not generally useful. __________________________ TIP 2: Scroll to the bottom of the log and search upward for the first instance of error or failed.
Any failure message should indicate why the installation failed.
epoST.err
<InstallLogs>\EPO5xx-Troubleshoot\OutputFiles
This is the error output from the ext.install remote command that installs or upgrades the bulk of the ePO extensions.
Note: If this file exists, then there were error(s), which will be logged to it.
This is probably the first place to look for errors, as this is the step that seems to fail most frequently (from case escalation reviews).
Generally, errors here require changes in the extensions themselves for resolution.
Core-install.log
%temp%\McAfeeLogs\ ePO5xx-Troubleshoot\MFS
Generated when ePO installer calls the MFS ANT installer. Provides information on:
Creation of server database tables
Installation of server components
Note: This file is deleted if the installation succeeds.
TIP 1: Look for BUILD SUCCESFUL at the end. If it isn't there, then there was a failure executing the MFS install ANT task. __________________________ TIP 2: Look for BUILD FAILED, the failure message will be listed just below that.
Core-upgrade.log (UPGRADE only)
%temp%\McAfeeLogs\ EPO5xx-Troubleshoot\MFS
Example: core-upgrade.log
Generated when ePO installer calls the MFS ANT installer. Provides information on:
Creation of server database tables
of server components
Note: This file is deleted if the installation succeeds.
TIP 1: Look for BUILD SUCCESSFUL at the end. If it isn't there, then there was a failure executing the MFS install ANT task. __________________________ TIP 2: Look for BUILD FAILED. The failure message will be listed just below that.
<ExtensionFileName> .err
%temp%\McAfeeLogs\ EPO5xx-Troubleshoot\OutputFiles
This is the output file of the ext.migrate remote command used to check in <extension>.zip.
TIP: If the check-in was successful, this file will be empty. Otherwise, error details will be contained.
EPO5xx-CommonSetup.log
%temp%\McAfeeLogs
Example: EPO5xx-CommonSetup.log
Contains ePO installer details such as:
Custom Action logging
SQL, DTS (Microsoft Data Transformation Services), and serviceārelated calls
Registering and unregistering DLLs
Files and folders selected for deletion at restart
TIP: Scroll to the bottom of the log and search upward for the first instance of error or failed.
<ExtensionFileName> .cmd
%temp%\McAfeeLogs\ePO5xx-Troubleshoot\OutputFiles
Created by the ePO installer. Contains the command (sent to RemoteāClient) to check in extensions.
Note: These files are deleted if the installation succeeds.
TIP: These files contain http commands that are run as part of the installation. Typically, you can attempt to manually execute these commands outside of the installation or upgrade.
Agent Handler Installation Issues / Failures
When troubleshooting Agent Handler installations, you will want to start with gathering and reviewing the AH5xx-ahsetupdll.log and AH5xx-Install-MSI.log file. These files contains all of the information about the install, including what the installer is doing and any failure information. These are the main files needed for troubleshooting Agent Handler installation failures.
Required Log Files
Default Location
Description
How to read this log
AH5xx-Install-MSI.log
%temp%\McAfeeLogs
Logs all Agent Handler installation details, such as:
Installer actions
Installation failures
TIP 1: Start from the top and search downward for the phrase value 3 or value 2. The failure message should display above the value message. __________________________ TIP 2: Search from the bottom of the file for aborted.
EPO5xx-Checkin-Failure.log
%temp%\McAfeeLogs
Only generated when ePO installer fails to check in any of these package types:
Extensions
Plugāins
Deployment packages
Agent packages
Note: Failure to check in the extensions is not considered fatal and will not trigger the installer to rollback.
TIP 1: Check the error log files (<extension>.err) for the individual extensions for further details. __________________________ TIP 2: Scroll to the bottom of the log and search upward for the first instance of error or failed.
AH5xx-ahsetupdll.log
%temp%\McAfeeLogs
This file is used to log information and errors that occur when using the helper functions.
Example helper functions:
Create Certificates
Replace Apache tokens
Check database credentials
TIP: This log is pretty short. Look for any instance of error or failed.
Message Types and Descriptions
Message Type
Description
Logging Level
e (error)
User error message
1
w (warning)
User warning message
2
i (information)
User information message
3
x (extended data)
User extended information message)
4
E (error)
Debug error message
5
W (warning)
Debug warning message
6
I (information)
Debug information message
7
X (extended data)
Debug extended information message
8
Server Log Files Overview
The next main type of logs collected for ePO are log files specific to Server functionality.
The following is an overview of the various types of server specific log files needed for troubleshooting issues & failures with:
Server Tasks (like Software Catalog, AD Synchronization & Key Management)
Repository Actions (like Pulls & Replications)
Console Logins (like password management)
Event Parser (like events not being processed)
SQL Connections (like TCP/IP connectivity)
It goes without saying that the associated Server logging files contains the most details pertaining to ePO server functionality. Issues seen here with the associated Server functions need to be addressed quickly so server and product performance is not affected.
Server Tasks Issues / Failures
The Orion.log file is one of the most commonly used log files. It is mainly used to troubleshoot console, browser, Tomcat, MFS, and Java type issues.
The second log file to use when troubleshooting Server Task type issues is the epoApSvr.log log. This file logs details for Server Task issues such as:
Repository Pulls
Repository Replications
Software Catalog actions
Key Management
LDAP functions
AD Synchronization
Required Log Files
Default Location
Description
How to read this log
Orion.log
<Install_Dir>\Server\Logs
Example: Orion.log
The main application server log:
TOMCAT
MF
Console
Browser
JAVA
Four levels of Severity: Ex: [2015-01-30 19:25:00, 230 ERRORā¦]
ERROR
INFO
DEBUG
WARN
TIP1: When reading the log, the date/timestamp along with the severity code and thread # are very important. This is so you can correlate / compare messages back & forth from the orion.log and epoApSvr.log.
Issue troubleshooting flow would be:
Review orion.log.
Gather info (date/time stamp, severity code, thread #)
Review epoApSvr.log following the info gathered in Step 2.
Go back to orion.log and continue reviewing.
_______________________________________
TIP2: Server Tasks will have āschedulerā as prefix Ex: [scheduler-TaskQueueEngine-thread-1]
__________________________
TIP3: Thread name is very important. All UI traffic starts with HTTP. Ex: [http-bio-8444-exec-8]
epoApSvr.log
<Install_Dir>\DB\Logs
Example: epoApSvr.log
This is the log for the C++ code that is called from Java (console).
Provides details for:
Repository Pull
Repository Replication
Software Catalog
Key Management
LDAP
AD Synchronization
Note: When in doubt, always check this log.
TIP: When reading the log, the date/timestamp along with the associated code and thread # are very important.
You would use the date/timestamp and thread # to follow specific interactions for that threat.
See Message Types for message description details.
Repository Action Issues / Failures (Pull/Replications)
The main log file used when troubleshooting Repository Action type issues and failures is the epoApSvr.log file.
The Replication.log file is the main log where specific ePO server replication information is logged. However, this file is only generated when all of the following are true:
Distributed Repositories are present
Replication task has been configured and ran (either successfully or not)
Required Log Files
Default Location
Description
How to read this log
epoApSvr.log
<Install_Dir>\DB\Logs
Example: epoApSvr.log
This is the main log for the C++ code that is called from Java (console).
Provides details for:
Repository Pull
Repository Replication
Software Catalog
Key Management
LDAP
AD Synchronization
Note: When in doubt, always check this log.
TIP: When reading the log, the date/timestamp along with the associated code and thread # are very important.
You would use the date/timestamp and thread # to follow specific interactions for that threat.
See Message Types for message description details.
Replication.log
<Install_Dir>\DB\Logs
Example: Replication.log
This is the main ePO server replication log file.
This file is only generated when all of the following are true:
There are Distributed Repositories
A Replication task has been configured.
A Replication task has run.
TIP: When reading this log, identify any errors and correct as requested.
Task completions for Repository replications and other replication related details are logged here.
Orion.log
<Install_Dir>\Server\Logs
Example: Orion.log
The main application server log:
TOMCAT
MF
Console
Browser
JAVA
Four levels of Severity: Ex: [2015-01-30 19:25:00, 230 ERRORā¦]
ERROR
INFO
DEBUG
WARN
TIP1: When reading the log, the date/timestamp along with the severity code and thread # are very important. This is so you can correlate / compare messages back and forth from the orion.log and epoApSvr.log.
Issue troubleshooting flow would be:
Review orion.log.
Gather info (date/time stamp, severity code, thread #)
Review epoApSvr.log following the info gathered in Step 2.
Go back to orion.log and continue reviewing.
______________________________
TIP2: Server Tasks will have āschedulerā as prefix ā Ex: [scheduler-TaskQueueEngine-thread-1]
__________________________
TIP3: Thread name is very important. All UI traffic starts with HTTP. Ex: [http-bio-8444-exec-8]
Console Login Issues / Failures
The Orion.log file is the main log to review when initially troubleshooting ePO console login issues and failures.
Required Log Files
Default Location
Description
How to read this log
Orion.log
<Install_Dir>\Server\Logs
Example: Orion.log
The main application server log:
TOMCAT
MF
Console
Browser
JAVA
Four levels of Severity: Ex: [2015-01-30 19:25:00, 230 ERRORā¦]
ERROR
INFO
DEBUG
WARN
TIP1: When reading the log, the most recent information is logged at the bottom of the file.
Issue troubleshooting flow would be:
Review orion.log.
Scroll to the bottom of the file.
Search for Failed to login entries.
Event Parser Issues / Failures
The main log to use for troubleshooting issues and failures with the Event Parser is aptly called Eventparser.log.
This file logs successes as well as failures when attempting to process events, once those are sent from the agents to the ePO server. Once the handler has received the event, an entry for that event is logged into the Server.log file, which then writes these to the file system.
Required Log Files
Default Location
Description
How to read this log
Eventparser.log
<Install_Dir>\DB\Logs
Example: Eventparser.log
Contains ePO event parser services details, such as product event parsing success or failure.
Events are sent by the agent, then received in the Agent Handler by the Apache process, which makes a note in the Server.log, and writes them to the file system.
The EventParser (a separate process in the Agent Handler) then picks up the events from the disk and writes them to the database.
Displayed event entries contain:
Date
Message Type
Success/Failure
Message w/ action detail
Event processing type messages will also display in Server.log as: āReceived [Event] from <SystemName>ā
TIP: Start from the top and search downward for Succeeded or Failed.
If Failed found, a failure message will be just below this location. Search the KB for this error.
Basic types of Events: <UpdateEvents> - Product events <EPOEvent>
- Threat events
SQL Connection Issues / Failures
The log files used when troubleshooting SQL Connection issues and failures are:
Orion.log
epoAvSvr.log
Server.log
Required Log Files
Default Location
Description
How to read this log
Orion.log
<Install_Dir>\Server\Logs
Example: Orion.log
The main application server log:
TOMCAT
MF
Console
Browser
JAVA
Four levels of Severity: Ex: [2015-01-30 19:25:00, 230 ERRORā¦]
ERROR
INFO
DEBUG
WARN
TIP1: When reading the log, the date/timestamp along with the severity code and thread # are very important. This is so you can correlate / compare messages back and forth from the orion.log and epoApSvr.log.
Issue troubleshooting flow would be:
Review orion.log.
Gather info (date/time stamp, severity code, thread #)
Review epoApSvr.log following the info gathered in Step 2.
Go back to orion.log and continue reviewing.
______________________________
TIP2: Server Tasks will have āschedulerā as prefix ā Ex: [scheduler-TaskQueueEngine-thread-1]
__________________________
TIP3: Thread name is very important. All UI traffic starts with HTTP. Ex: [http-bio-8444-exec-8]
epoApSvr.log
<Install_Dir>\DB\Logs
Example: Server.log
This is the log for the C++ code that is called from Java (console).
Provides details for:
Repository Pull
Repository Replication
Software Catalog
Key Management
LDAP
AD Synchronization
Note: When in doubt, always check this log.
TIP: When reading the log, the date/timestamp along with the associated code and thread # are very important.
You would use the date/timestamp and thread # to follow specific interactions for that threat.
See Message Types for message description details.
Server.log
<Install_Dir>\DB\Logs
Example: Server.log
Contains details related to and is the main log for the following:
Agent-server communications
Agent deployment
Agent Wake-Up
Policy Compilation
Tasks
Manifest request
Event receiving
ePO Server Agent Handler
Provides the following:
Date and Time
Message Type ā See Message Types for details
Thread number - Very important to 'pull out' all related messages to one ASCI (Agent to Server Communication)\
Module - The module name can give a hint of what part of the code maybe having issues
Message - X messages will contain the exact line number and .cpp file
Review any errors related to initialization.
Policy Updating Issues / Failures
The following table provides troubleshooting details on how to read basic policy updating issues and failures.
Required Log Files
Default Location
Description
How to read this log
<AgentGUID>_<Timestamp> _Server.xml
<Install_Dir>\DB\ Debug
Contains details about policy updating issues. To enable this file:
Click Start, Run, type regedit and click OK.
Navigate to: HKLM\Software\Network Associates\ePolicy Orchestrator\
Create the DWORD SaveAgentPolicy and set the Value to 1.
Restart the ePolicy Orchestrator 5.x.x Server service.
In the DB\Debug folder, an XML file is created named <agent_guid>_manifest for each client that retrieves a new policy.
This is then used to determine what policy settings are being sent from the ePO server.
Note: This setting should NEVER be left on as this will generate a file for each client communication where policies are sent down.
Last updated
