Manage Logging of Traps Components Using Cytool
Manage Logging of Traps Components on Windows
Using Cytool, you can start, stop, or flush the logging of Traps drivers and services. This enables you to troubleshoot one or more components and log errors, warnings, or information to a log file which you can then view using the Windows Event Viewer. You can also specify the maximum file size of the log, in MB. On Windows endpoints, Cytool outputs the ETL trace logs to the C:\ProgramData\Cyvera\Logs\ folder.
- Open a command prompt as an administrator and navigate to the Traps folder (see Access Cytool).
- To start logging, use the cytool log start <log size> command
where <log size> is
the size in MB (a maximum of 25MB). The following example displays output for using cytool to start logging with a maximum file size of 20 MB.
C:\Program Files\Palo Alto Networks\Traps>cytool log start 20 The operation was successful.Cytool creates a log file and begins logging in ETL format.
- Set the minimum log level for one or more components:Use the cytool log set <component> <level> [flags] command to set the minimum log level of a component where:
For example, to consume logs for the cyvrfsfd component with the INFO severity and above with the flag 0x7FFFFFFF:
- <component> is all—meaning set the log level for all components—or one of the following individual components: cyvrlpc, cyvrfsfd, cyverak, cyvrmtgn, cyreport, cyserver, cyapi, cylnk, cyrprtui, cytray, tlaservice, tlaworker, tlacore, cytool, cyverau, cyinjct, cyvrtrap, cyvera, ntnativeapi, winutils, panwd
- <level> is one of the following log levels: NONE, CRITICAL, ERROR, WARNING, INFO, VERBOSE, DEBUG, ALL
- [flags] is the mask (hex) of one or more trace flags (a maximum of 31) separated by spaces that Traps assigns to each trace when a program runs on the endpoint (for example 0x7FFFFFFF, or 0x5). The trace flag is a property of a trace provider, in this case Traps, and determines which events Traps generates. You can use the trace flag to filter events that Traps traces.
C:\Program Files\Palo Alto Networks\Traps>cytool log set cyvrfsfd INFO 0x7FFFFFFF The operation was successful.
- Stop active log sessions:To stop logging, use the cytool log stop:After you stop logging, Cytool indicates the path and name of the log file.
C:\Program Files\Palo Alto Networks\Traps>cytool log stop Log file created at C:\ProgramData\Cyvera\Logs\Traps_native_log.184.108.40.206819.etl.001
- Flush the active log sessions:To flush active log sessions to disk, use the following command:
C:\Program Files\Palo Alto Networks\Traps>cytool log flush Log session flushed to directory C:\ProgramData\Cyvera\Logs.
- Convert the ETL file to a TMF file:To extract the encoded ETL file, Cytool uses the TMF file as a key. When the TMF file is not supplied, Cytool uses the default TMF file which is stored in the C:\ProgramData\Cyvera\Logs\ folder with the ETL files.To convert the existing trace log file to a readable text file, use the cytool log convert [etl_file [tmf_file]] command.This command is not supported on Windows XP SP3.
Manage Logging of Traps Components on Mac
On Mac endpoints, you can enable logging of one or all processes. On Mac endpoints running OS X 10.10 and OSX 10.11, Cytool outputs the logs to the /var/log/traps. On Mac endpoints running macOS 10.12, you can view logs from the Console application.
- Open a terminal as an administrator and navigate to the Traps folder (see Access Cytool).
- Set the log level for a process:Use the cytool log <level> <process | all> command to set the log level of a component where:
- <level> is an integer value corresponding to the log level:
- 1—Fatal error. The application terminated. This is the highest priority.
- 2—Critical error. The application cannot continue to run successfully.
- 3—Error. An operation did not complete successfully, but the application as a whole is not affected.
- 4—Warning. An operation completed with an unexpected result.
- 5—Notice. Informational message with a higher priority.
- 6—Info. Informational message, usually denoting the successful completion of an operation.
- 7—Debug. Debugging message.
- 8—Trace. Tracing message. This is the message with the lowest priority.
- 0—Turn off logging.
- <process> is a Traps process on the Mac endpoint, or use all to set the log level for all processes.
PANM2637HQ:bin jdoe$ sudo ./cytool log 2 all
- To collect logs, use the cytool log collect command.
Cytool Cytool is a command-line interface that is integrated into Traps that enables you to query and manage basic functions of Traps. Changes made using ...
View Traps Startup Components on the Endpoint
View Traps Startup Components on the Endpoint Use the cytool startup query command to view the status of startup components on the endpoint. When a ...
View Traps Runtime Components on the Endpoint
View Traps Runtime Components on the Endpoint Use the cytool runtime query command to view the status of Traps components on the endpoint. When a ...
Start or Stop Traps Runtime Components on the Endpoint
Start or Stop Traps Runtime Components on the Endpoint In situations where the Traps agent cannot reach the ESM Server or you do not have ...
Enable or Disable the Startup of Traps Components on the En...
Enable or Disable the Startup of Traps Components on the Endpoint Use the cytool startup [enable|disable] command optionally followed by the component name to override ...
View the Status of the Agent Using Cytool
View the Status of the Agent Using Cytool To view information about the status of the Traps agent on Windows endpoints, use the cytool info ...
Restore a Quarantined File Using Cytool
Restore a Quarantined File Using Cytool If a quarantined file turns out not to be malware, you can restore it using the ESM Console or ...
Access Cytool To view syntax and usage examples for Cytool commands, use the /? option after any command. Open a command prompt (on Windows) or ...
Enable or Disable Traps File Protection Settings on the End...
Enable or Disable Traps File Protection Settings on the Endpoint To prevent attackers from tampering with the Traps files, use the cytool protect enable file ...