Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: How to Set Automatic Agent Log Capture (Persistent With Reboot)

App Control: How to Set Automatic Agent Log Capture (Persistent With Reboot)

Environment

  • App Control Console: All Supported Versions
  • App Control Windows Agent: All Supported Versions
  • Microsoft Windows: All Supported Versions

Objective

To setup high debug logging, that persists reboots, for issues that cannot be recreated on demand.

Resolution

  1. Login to the Console and navigate to Assets > Computers > relevant Computer
  2. Make a note of the Host ID from the URL (Example: host-details.php?host_id=592)
  3. From the Computer Details page > right hand side > Advanced > Set Debug Level:
    • Debug Level: High
    • Include Kernel
    • Debug Duration: Permanent
  4. Click "Go"
  5. Navigate to https://ServerAddress/agent_config.php > Add Agent Config
    • Name: Automatic Log Capture (or something relevant)
    • Host ID: Value from Step 2 (Example: 592)
    • Value: capture_log_on_matching_event=subtype=SubtypeEventID,filename=PathToFileOrPathBeingBlocked
    • Policy: Relevant Policy
    • Status: Enabled
  6. Once the Agent generates an Event matching the scenario, an Event in the Console will appear with Subtype "Agent Diagnostics Available"
  7. Verify the Agent Logs are available, and download them, from Tools > Requested Files > Diagnostic Files.
  8. Navigate back to Assets > Computers > relevant Computer > right hand side > Advanced > Set Debug Level > None (default).
  9. Once the Agent Logs are available, from the Computer Details page > right hand side > Advanced > Other Actions > Delete diagnostic files on computer.
  10. Navigate to https://ServerAddress/agent_config.php > Show Filters > Value > contains > capture_log_on_matching_event
    • Either Delete or Disable this Agent Config.
  11. Upload the Agent Logs to the Vault.

Additional Notes

  • capture_log_on_matching_event is a Kernel Configuration Property that will trigger the capture of Agent Diagnostic Logs based on the Event Subtype and optional additional criteria.
  • There is a built in delay of 5 seconds after the Event to capture possible following activity.
  • There is a built in dwell time of 15 minutes. The auto log capture will not trigger until 15 minutes after the last auto log capture.
  • There is a limit of 10 auto log captures. No auto captures will occur until there are less than 10 captures in the logs directory.
  • The 15 minute dwell time and 10 capture maximum are to stop poorly defined event criteria from generating large numbers of logs.
  • Setting the property to an empty string disables auto-logging.
  • A list of available Event Subtype IDs can be found on VMware Docs > Server Documentation > Events Guide.

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎09-09-2020
Views:
445
Contributors