Debug log files
The Enforce Server and the detection servers store debug log files in the
c:\ProgramData\Symantec\DataLossPrevention\<
directory on Windows installations and in the Enforce Server
or Detection Server
>\15.8.00000\logs\/var/log/Symantec/DataLossPrevention/<
directory on Linux installations. A number at the end of the log file name indicates the count (shown as 0 in debug log files).Enforce Server
or Detection Server
>/15.8.00000/The following table lists and describes the
Symantec Data Loss Prevention
debug log files.Log file name | Description | Server |
|---|---|---|
Aggregator0.log | This file describes communications between the detection server and the agents.
Look at this log to troubleshoot the following problems:
| Endpoint detection servers |
BoxMonitor0.log | This file is typically very small, and it shows how the application processes are running. The BoxMonitor process oversees the detection server processes that pertain to that particular server type.For example, the processes that run on Network Monitor are file reader and packet capture. | All detection servers |
ContentExtractionAPI_FileReader.log | Logs the behavior of the Content Extraction API file reader that sends requests to the plug-in host. The default logging level is "info" which is configurable using log4cxx_config_filereader.xml in a location based on your platform:
| Detection Server |
ContentExtractionAPI_Manager.log | Logs the behavior of the Content Extraction API manager that sends requests to the plug-in host. The default logging level is "info" which is configurable using log4cxx_config_manager.xml in a location based on your platform:
| Enforce Server |
ContentExtractionHost_FileReader.log | Logs the behavior of the Content Extraction File Reader hosts and plug-ins. The default logging level is "info" which is configurable using log4cxx_config_filereader.xml in a location based on your platform:
| Detection Server |
ContentExtractionHost_Manager.log | Logs the behavior of the Content Extraction Manager hosts and plug-ins. The default logging level is "info" which is configurable using log4cxx_config_manager.xml in a location based on your platform:
| Enforce Server |
DiscoverNative.log.0 | This log file is located in \ProgramData\Symantec\DataLossPrevention\ DetectionServer\15.8.00000\logs\debug This log file contains the log statements that the Network Discover/Cloud Storage Discover native code emits. Currently contains the information that is related to .pst scanning. This log file applies only to the Network Discover/Cloud Storage Discover Servers that run on Windows platforms.You can configure this log in the c:\Program Files\Symantec\DataLossPrevention\DetectionServer\15.8.00000\Protect\config\ DiscoverNativeLogging.properties file. | Discover detection servers |
FileReader0.log | This log file pertains to the file reader process and contains application-specific logging, which may be helpful in resolving issues in detection and incident creation. One symptom that shows up is content extractor timeouts. | All detection servers |
flash_client_0.log | Logs messages from the Adobe Flex client used for folder risk reports by Network Discover. | Enforce Server |
flash_server_remoting_0.log | Contains log messages from BlazeDS, an open-source component that responds to remote procedure calls from an Adobe Flex client. This log indicates whether the Enforce Server has received messages from the Flash client. At permissive log levels (FINE, FINER, FINEST), the BlazeDS logs contain the content of the client requests to the server and the content of the server responses to the client | Enforce Server |
IncidentPersister0.log | This log file pertains to the Incident Persister process. This process reads incidents from the incidents folder on the Enforce Server, and writes them to the database. Look at this log if the incident queue on the Enforce Server (manager) grows too large. This situation can be observed also by checking the incidents folder on the Enforce Server to see if incidents have backed up. | Enforce Server |
Indexer0.log | This log file contains information when an EDM profile or IDM profile is indexed. It also includes the information that is collected when the external indexer is used. If indexing fails then this log should be consulted. | Enforce Server (or computer where the external indexer is running) |
jdbc.log | This log file is a trace of JDBC calls to the database. By default, writing to this log is turned off. | Enforce Server |
machinelearning_native_filereader.log | This log file records the runtime category classification (positive and negative) and associated confidence levels for each message detected by a VML profile. The default logging level is "info" which is configurable using \log4cxx_config_filereader.xml in a location based on your platform:
| Detection Server |
machinelearning_training_0_0.log | This log file records the design-time base accuracy percentages for the k-fold evaluations for all VML profiles. | Enforce Server |
machinelearning_training_native_manager.log | This log file records the total number of features modeled at design-time for each VML profile training run. The default logging level is "info" which is configurable using log4cxx_config_manager.xml in a location based on your platform:
| Enforce Server |
MonitorController0.log | This log file is a detailed log of the connections between the Enforce Server and the detection servers. It gives details around the information that is exchanged between these servers including whether policies have been pushed to the detection servers or not. | Enforce Server |
PacketCapture.log | This log file pertains to the packet capture process that reassembles packets into messages and writes to the drop_pcap directory. Look at this log if there is a problem with dropped packets or traffic is lower than expected. PacketCapture is not a Java process, so it does not follow the same logging rules as the other Symantec Data Loss Prevention system processes. | Network Monitor |
PacketCapture0.log | This log file describes issues with PacketCapture communications. | Network Monitor |
RequestProcessor0.log | This log file pertains to SMTP Prevent only. The log file is primarily for use in cases where SmtpPrevent_operational0.log is not sufficient.
| SMTP Prevent detection servers |
ScanDetail- target -0.log | Where target is the name of the scan target. All white spaces in the target's name are replaced with hyphens. This log file pertains to Discover server scanning. It is a file by file record of what happened in the scan. If the scan of the file is successful, it reads success, and then the path, size, time, owner, and ACL information of the file scanned. If it failed, a warning appears followed by the file name. | Discover detection servers |
tomcat\localhost. date .log | These Tomcat log files contain information for any action that involves the user interface. The logs include the user interface errors from red error message box, password failures when logging on, and Oracle errors (ORA –#). | Enforce Server |
SymantecDLPIncidentPersister.log | This log file contains minimal information: stdout and stderr only (fatal events). | Enforce Server |
SymantecDLPManager.log | This log file contains minimal information: stdout and stderr only (fatal events). | Enforce Server |
SymantecDLPMonitor.log | This log file contains minimal information: stdout and stderr only (fatal events). | All detection servers |
SymantecDLPMonitorController.log | This log file contains minimal information: stdout and stderr only (fatal events). | Enforce Server |
SymantecDLPNotifier.log | This log file pertains to the Notifier service and its communications with the Enforce Server and the MonitorController service. Look at this file to see if the MonitorController service registered a policy change. | Enforce Server |
SymantecDLPUpdate.log | This log file is populated when you update Symantec Data Loss Prevention . | Enforce Server |