Debug log files

Debug log files

The Enforce Server and the detection servers store debug log files in the
c:\ProgramData\Symantec\DataLossPrevention\<
Enforce Server
or
Detection Server
>\15.8.00000\logs\
directory on Windows installations and in the
/var/log/Symantec/DataLossPrevention/<
Enforce Server
or
Detection Server
>/15.8.00000/
directory on Linux installations. A number at the end of the log file name indicates the count (shown as 0 in debug log files).
The following table lists and describes the
Symantec Data Loss Prevention
debug log files.
Debug log files
Log file name
Description
Server
Aggregator0.log
This file describes communications between the detection server and the agents.
Look at this log to troubleshoot the following problems:
  • Connection to the agents
  • To find out why incidents do not appear when they should
  • If unexpected agent events occur
Endpoint detection servers
BoxMonitor0.log
This file is typically very small, and it shows how the application processes are running. The
BoxMonitor
process oversees the detection server processes that pertain to that particular server type.
For example, the processes that run on Network Monitor are file reader and packet capture.
All detection servers
ContentExtractionAPI_FileReader.log
Logs the behavior of the Content Extraction API file reader that sends requests to the plug-in host. The default logging level is "info" which is configurable using
log4cxx_config_filereader.xml
in a location based on your platform:
  • Windows:
    \ProgramData\Symantec\DataLossPrevention\
    DetectionServer\15.8.00000\logs
  • Linux:
    /var/log/Symantec/DataLossPrevention/
    DetectionServer/15.8.00000/logs
Detection Server
ContentExtractionAPI_Manager.log
Logs the behavior of the Content Extraction API manager that sends requests to the plug-in host. The default logging level is "info" which is configurable using
log4cxx_config_manager.xml
in a location based on your platform:
  • Windows:
    \ProgramData\Symantec\DataLossPrevention\
    DetectionServer\15.8.00000\logs
  • Linux:
    /var/log/Symantec/DataLossPrevention/
    DetectionServer/15.8.00000/logs
Enforce Server
ContentExtractionHost_FileReader.log
Logs the behavior of the Content Extraction File Reader hosts and plug-ins. The default logging level is "info" which is configurable using
log4cxx_config_filereader.xml
in a location based on your platform:
  • Windows:
    \ProgramData\Symantec\DataLossPrevention\
    DetectionServer\15.8.00000\logs
  • Linux:
    /var/log/Symantec/DataLossPrevention/
    DetectionServer/15.8.00000/logs
Detection Server
ContentExtractionHost_Manager.log
Logs the behavior of the Content Extraction Manager hosts and plug-ins. The default logging level is "info" which is configurable using
log4cxx_config_manager.xml
in a location based on your platform:
  • Windows:
    \ProgramData\Symantec\DataLossPrevention\
    DetectionServer\15.8.00000\logs
  • Linux:
    /var/log/Symantec/DataLossPrevention/
    DetectionServer/15.8.00000/logs
Enforce Server
DiscoverNative.log.0
This log file is located in
\ProgramData\Symantec\DataLossPrevention\
DetectionServer\15.8.00000\logs\debug
This log file contains the log statements that the
Network Discover/Cloud Storage Discover
native code emits. Currently contains the information that is related to
.pst
scanning. This log file applies only to the
Network Discover/Cloud Storage Discover
Servers that run on Windows platforms.
You can configure this log in the
c:\Program Files\Symantec\DataLossPrevention\DetectionServer\15.8.00000\Protect\config\ DiscoverNativeLogging.properties
file.
Discover detection servers
FileReader0.log
This log file pertains to the file reader process and contains application-specific logging, which may be helpful in resolving issues in detection and incident creation. One symptom that shows up is content extractor timeouts.
All detection servers
flash_client_0.log
Logs messages from the Adobe Flex client used for folder risk reports by Network Discover.
Enforce Server
flash_server_remoting_0.log
Contains log messages from BlazeDS, an open-source component that responds to remote procedure calls from an Adobe Flex client. This log indicates whether the Enforce Server has received messages from the Flash client. At permissive log levels (FINE, FINER, FINEST), the BlazeDS logs contain the content of the client requests to the server and the content of the server responses to the client
Enforce Server
IncidentPersister0.log
This log file pertains to the Incident Persister process. This process reads incidents from the incidents folder on the Enforce Server, and writes them to the database. Look at this log if the incident queue on the Enforce Server (manager) grows too large. This situation can be observed also by checking the incidents folder on the Enforce Server to see if incidents have backed up.
Enforce Server
Indexer0.log
This log file contains information when an EDM profile or IDM profile is indexed. It also includes the information that is collected when the external indexer is used. If indexing fails then this log should be consulted.
Enforce Server (or computer where the external indexer is running)
jdbc.log
This log file is a trace of JDBC calls to the database. By default, writing to this log is turned off.
Enforce Server
machinelearning_native_filereader.log
This log file records the runtime category classification (positive and negative) and associated confidence levels for each message detected by a VML profile. The default logging level is "info" which is configurable using
\log4cxx_config_filereader.xml
in a location based on your platform:
  • Windows:
    \ProgramData\Symantec\DataLossPrevention\
    DetectionServer\15.8.00000\logs
  • Linux:
    /var/log/Symantec/DataLossPrevention/
    DetectionServer/15.8.00000/logs
Detection Server
machinelearning_training_0_0.log
This log file records the design-time base accuracy percentages for the
k-fold
evaluations for all VML profiles.
Enforce Server
machinelearning_training_native_manager.log
This log file records the total number of features modeled at design-time for each VML profile training run. The default logging level is "info" which is configurable using
log4cxx_config_manager.xml
in a location based on your platform:
  • Windows:
    \ProgramData\Symantec\DataLossPrevention\
    DetectionServer\15.8.00000\logs
  • Linux:
    /var/log/Symantec/DataLossPrevention/
    DetectionServer/15.8.00000/logs
Enforce Server
MonitorController0.log
This log file is a detailed log of the connections between the Enforce Server and the detection servers. It gives details around the information that is exchanged between these servers including whether policies have been pushed to the detection servers or not.
Enforce Server
PacketCapture.log
This log file pertains to the packet capture process that reassembles packets into messages and writes to the
drop_pcap
directory. Look at this log if there is a problem with dropped packets or traffic is lower than expected.
PacketCapture
is not a Java process, so it does not follow the same logging rules as the other
Symantec Data Loss Prevention
system processes.
Network Monitor
PacketCapture0.log
This log file describes issues with
PacketCapture
communications.
Network Monitor
RequestProcessor0.log
This log file pertains to SMTP Prevent only. The log file is primarily for use in cases where
SmtpPrevent_operational0.log
is not sufficient.
SMTP Prevent detection servers
ScanDetail-
target
-0.log
Where
target
is the name of the scan target. All white spaces in the target's name are replaced with hyphens. This log file pertains to Discover server scanning. It is a file by file record of what happened in the scan. If the scan of the file is successful, it reads success, and then the path, size, time, owner, and ACL information of the file scanned. If it failed, a warning appears followed by the file name.
Discover detection servers
tomcat\localhost.
date
.log
These Tomcat log files contain information for any action that involves the user interface. The logs include the user interface errors from red error message box, password failures when logging on, and Oracle errors (ORA –#).
Enforce Server
SymantecDLPIncidentPersister.log
This log file contains minimal information:
stdout
and
stderr
only (fatal events).
Enforce Server
SymantecDLPManager.log
This log file contains minimal information:
stdout
and
stderr
only (fatal events).
Enforce Server
SymantecDLPMonitor.log
This log file contains minimal information:
stdout
and
stderr
only (fatal events).
All detection servers
SymantecDLPMonitorController.log
This log file contains minimal information:
stdout
and
stderr
only (fatal events).
Enforce Server
SymantecDLPNotifier.log
This log file pertains to the Notifier service and its communications with the Enforce Server and the
MonitorController
service. Look at this file to see if the
MonitorController
service registered a policy change.
Enforce Server
SymantecDLPUpdate.log
This log file is populated when you update
Symantec Data Loss Prevention
.
Enforce Server