Changing the Amount, Size and Level of Logs in the ESM and Traps Agent

The ESM core service, ESM web console, Traps Agent service and Traps Agent console log ten 5MB log files with "Debug" messages as the minimal level of logging by default.

As more endpoints are installed and more features enabled (especially WildFire integration), a larger amount of logs is created regularly by the agent (on the endpoint) and the Core and Console (on the servers). This causes the logs to be very short lived and not relevant for issues logged a few days back.

Server log locations:

• On ESM Core servers, the server logs are located in %ProgramData%\Cyvera\Logs and are named "Server.log" (older logs are renamed "Server.0.log", "Server.1.log"..."Server.9.log")
• On ESM Console servers, the web logs are located in %ProgramData%\Cyvera\Logs and are named "DebugWeb.log" (older logs are renamed "DebugWeb.0.log", "DebugWeb.1.log"..."DebugWeb.9.log")
• On the endpoint, Traps service logs are located in %ProgramData%\Cyvera\Logs and are named "Service.log" (older logs are renamed "Service.0.log", "Service.1.log"..."Service.9.log")
• On the endpoint, Traps agent console logs are located in %USERPROFILE%\AppData\Roaming\Cyvera\Logs and are named "Console.log" (older logs are renamed "Console.0.log", "Console.1.log"..."Console.9.log")

It is recommended, when possible, to increase the amount and size of logs created when enabling "High logging" features. Additionally, in a stable environment, the logging level can be raised to allow fewer logs to be written in the log file and, in turn, create longer lasting log files.

Note: When raising the minimal level of logging some issues might not get logged at all.

The configuration of the amount, size and level of logging does not have a UI representation but can be changed by editing specific XML files.

• ESM Core server logs:
  The XML file is located at: %Programfiles%\Palo Alto Networks\Endpoint Security Manager\Server and is called CyveraServer.exe.nlog
• ESM Console DebugWeb logs:
  The XML file is located at: %Programfiles%\Palo Alto Networks\Endpoint Security Manager\web and is called Web.config
• Traps agent service logs:
  The XML file is located at: %Programfiles%\Palo Alto Networks\Traps and is called CyveraService.exe.nlog
• Traps agent console logs:
  The XML file is located at: %Programfiles%\Palo Alto Networks\Traps and is called CyveraConsole.exe.nlog

Opening the XML file will reveal the following entry:

Note: This example is taken from the ESM server log configuration file.

<targets asyn="true">

    <target name="file"

  xsi:type="File"

  fileName="${specialfolder:folder=CommonApplicationData}\Cyvera\Logs\Server.log"

  maxArchiveFiles="10"

  archiveAboveSize="50000000"

  archiveNumbering="Rolling"

  layout="${longdate} ${level:uppercase=true} ${processname}(${threadid}) ${logger} ${message} ${exception:innerFormat=ToString:format=ToString}"

  />

And lower in the file:

<rules>

    <logger name="*" minlevel="Debug" writeTo="file" />

Usage

1. Editing the "maxArchiveFiles" will set the amount of files created (keeping the convention of "Server.xx.log" as the file name)
2. Editing the "archiveAboveSize" will set the size limit of each log file (value is in bytes)
3. Editing the "Minlevel=" entry will change the minimal level of logging in the log - the options are: Trace, Debug, Info, Warn, Error.

Important! Restarting the relevant service (Traps, ESM or IIS) is required for the changes to take effect.