McAfee HISCDE-AB-IA - Host Intrusion Prevention Product Manual page 143

Appendix B — Troubleshooting
Host IPS logs
When the log_rotate_size_kb specified size has been exceeded, the file is closed and renamed
with the suffix .1. If a file with that name already exists, the suffix is incremented by one. When
the specified number of backup files is reached, the oldest is deleted.
NOTE: When collecting data for incidents escalated to McAfee Support, we strongly recommend
that the debug_enabled registry value be created and set to 1. This registry value logs all
Host and Network IPS events to HIPShield.log, regardless of the Log Status setting under
signature properties. Be sure to stop the service, delete old log files, restart the service, and
perform the reproduction. This minimizes the size of the log files.
What are things to look for in HipShield.log?
A run of the Host IPS component begins with a banner statement that identifies the build run
and the date/time stamp of the session. Each entry of the HipShield log shows a date/time
stamp, followed by an indication as to whether this data is informational, debugging, or error.
The data contained in the HipShield is ad-hoc, and differs between portions of the Host IPS
component.
Key areas of interest:
• Lines beginning with In install modules new describe the copying of files as part of the
start of the Host IPS component. Failure to copy these files prevents the Host IPS component
from starting.
• A line beginning with Scrutinizer initialized successfully indicates that loading of the
Host IPS component has been successful up through the initialization of the Scrutinizer,
which depends on the above-mentioned files having been copied properly.
• A line beginning with New Process: Pid= indicates the Host IPS component is able to
monitor process creation.
• A line beginning with IIS - Start indicates that IIS monitoring is beginning.
• A line beginning with Scrutinizer started successfully ACTIVATED status indicates
that the Scrutinizer has successfully started.
• A line beginning with Hooking xxx indicates that process hooking is proceeding. The number
xxx indicates the PID (process ID) of the process being hooked.
• A series of lines beginning with Processing Buffer xxx.scn is reporting the results of the
Scanner processing of scanfile xxx.scn, where xxx is a name like EnterceptMgmtServer,
as shown above. Errors in the Scanners processing of scan files are reported here.
• Lines in the format signature=111 level=2, log=True report that an individual signature
has been loaded. The signature ID and level are included along with an indication of whether
logging is enabled for this signature.
NOTE: Shield.db and except.db are created in the same directory as the logs only when
debugging is enabled. These files contain a dump of the rules and exceptions that are sent to
the kernel after the AgentNT.dll has processed the content.
Which log files are associated with the firewall component?
The primary log files for the Firewall component and what they contain:
Name Description
FireSvc.log Main service log
McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
Contains this data
• Debug level logging
• Location matching output
• TrustedSource connection rating output
• Errors/warnings
143