Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: How to Set Automatic Agent Log Capture (Persistent With Reboot)

App Control: How to Set Automatic Agent Log Capture (Persistent With Reboot)

Environment

  • App Control Console: All Supported Versions
  • App Control Windows Agent: All Supported Versions
  • Microsoft Windows: All Supported Versions

Objective

To setup high debug logging, that persists reboots, for issues that cannot be recreated on demand.

Resolution

  1. Log in to the Console and navigate to Assets > Computers > relevant Computer.
  2. In the URL, note the value for host_id (example: https://ServerAddress/host-details.php?host_id=74)
  3. From the Computer Details page > right hand side > Advanced > Set Debug Level:
    • Debug Level: High & Include Kernel
    • Debug Duration: Permanent
    • Click "Go"
  4. Navigate to https://ServerAddress/agent_config.php > Add Agent Config
  5. Use the following details:
    • Property Name: TMP-Max Roll QTY (or something memorable)
    • Host ID: Value from Step 2 (ex: 74)
    • Value: max_rolled_trace_logs_to_keep=20
    • Status: Enabled
  6. Click Save & add another Agent Config using the following details:
    • Property Name: TMP-Max Roll Size (or something memorable)
    • Host ID: Value from Step 2 (ex: 74)
    • Value: max_rolling_trace_size_mb=500
    • Status: Enabled
  7. Click Save & add another Agent Config using the following details:
    • Property Name: Verbose Log Pattern (or something memorable)
    • Host ID: Value from Step 2 (ex: 74)
    • Value: kernelVerboseLogPattern=File.exe
    • Status: Enabled
  8. Optional: to capture logs for specific event like "Execution Block" add a final Agent Config with the following details:
    • Property Name: Automatic Log Capture (or something relevant)
    • Host ID: Value from Step 2 (Ex: 74)
    • Value: capture_log_on_matching_event=subtype=SubtypeEventID,filename=PathToFileOrPathBeingBlocked
      Example: capture_log_on_matching_event=subtype=801,filename=File.exe
    • Status: Enabled
  9. After creating these Agent Configs, verify the Agent shows as Connected & Up to Date in Assets > Computers.
  10. Once the Agent generates an Event matching the scenario, an Event in the Console will appear with Subtype "Agent Diagnostics Available"
  11. Verify the Agent Logs are available, and download them, from Tools > Requested Files > Diagnostic Files.
  12. Navigate back to Assets > Computers > relevant Computer > right hand side > Advanced > Set Debug Level > None (default).
  13. Disable or delete the Agent Configs created in Steps 5, 6, 7 and 8.
  14. Upload the Agent Logs to the Vault.
  15. After confirming the Agent Logs have been received by Support, it may be beneficial to clear them from the endpoint.

Additional Notes

  • capture_log_on_matching_event is a Kernel Configuration Property that will trigger the capture of Agent Diagnostic Logs based on the Event Subtype and optional additional criteria.
  • There is a built in delay of 5 seconds after the Event to capture possible following activity.
  • There is a built in dwell time of 15 minutes. The auto log capture will not trigger until 15 minutes after the last auto log capture.
  • There is a limit of 10 auto log captures. No auto captures will occur until there are less than 10 captures in the logs directory.
  • The 15 minute dwell time and 10 capture maximum are to stop poorly defined event criteria from generating large numbers of logs.
  • Setting the property to an empty string disables auto-logging.
  • A list of available Event Subtype IDs can be found on VMware Docs > Server Documentation > Events Guide.

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎09-09-2020
Views:
960
Contributors