Manage Logging of Traps Components Using Cytool
Table of Contents
4.2 (EoS)
Expand all | Collapse all
-
- Set Up the Endpoint Infrastructure
- Activate Traps Licenses
-
- Endpoint Infrastructure Installation Considerations
- TLS/SSL Encryption for Traps Components
- Configure the MS-SQL Server Database
- Install the Endpoint Security Manager Server Software
- Install the Endpoint Security Manager Console Software
- Manage Proxy Communication with the Endpoint Security Manager
- Load Balance Traffic to ESM Servers
-
- Malware Protection Policy Best Practices
- Malware Protection Flow
- Manage Trusted Signers
-
- Remove an Endpoint from the Health Page
- Install an End-of-Life Traps Agent Version
-
-
- Traps Troubleshooting Resources
- Traps and Endpoint Security Manager Processes
- ESM Tech Support File
-
- Access Cytool
- View the Status of the Agent Using Cytool
- View Processes Currently Protected by Traps Using Cytool
- Manage Logging of Traps Components Using Cytool
- Restore a Quarantined File Using Cytool
- View Statistics for a Protected Process Using Cytool
- View Details About the Traps Local Analysis Module Using Cy...
- View Hash Details About a File Using Cytool
Manage Logging of Traps Components Using Cytool
Manage Logging of Traps Components on Windows
Using Cytool, you can start, stop, or flush
the logging of Traps drivers and services. This enables you to troubleshoot
one or more components and log errors, warnings, or information
to a log file which you can then view using the Windows Event Viewer.
You can also specify the maximum file size of the log, in MB. On
Windows endpoints, Cytool outputs the ETL trace logs to the C:\ProgramData\Cyvera\Logs\ folder.
- Open a command prompt as an administrator and navigate to the Traps folder (see Access Cytool).
- To start logging, use the cytool log start <log size> command
where <log size> is
the size in MB (a maximum of 25MB). The following example displays output for using cytool to start logging with a maximum file size of 20 MB.
C:\Program Files\Palo Alto Networks\Traps>cytool log start 20 The operation was successful.Cytool creates a log file and begins logging in ETL format. - Set the minimum log level for one or more components:Use the cytool log set <component> <level> [flags] command to set the minimum log level of a component where:
- <component> is all—meaning set the log level for all components—or one of the following individual components: cyvrlpc, cyvrfsfd, cyverak, cyvrmtgn, cyreport, cyserver, cyapi, cylnk, cyrprtui, cytray, tlaservice, tlaworker, tlacore, cytool, cyverau, cyinjct, cyvrtrap, cyvera, ntnativeapi, winutils, panwd
- <level> is one of the following log levels: NONE, CRITICAL, ERROR, WARNING, INFO, VERBOSE, DEBUG, ALL
- [flags] is the mask (hex) of one or more trace flags (a maximum of 31) separated by spaces that Traps assigns to each trace when a program runs on the endpoint (for example 0x7FFFFFFF, or 0x5). The trace flag is a property of a trace provider, in this case Traps, and determines which events Traps generates. You can use the trace flag to filter events that Traps traces.
For example, to consume logs for the cyvrfsfd component with the INFO severity and above with the flag 0x7FFFFFFF:C:\Program Files\Palo Alto Networks\Traps>cytool log set cyvrfsfd INFO 0x7FFFFFFF The operation was successful. - Stop active log sessions:To stop logging, use the cytool log stop:After you stop logging, Cytool indicates the path and name of the log file.
C:\Program Files\Palo Alto Networks\Traps>cytool log stop Log file created at C:\ProgramData\Cyvera\Logs\Traps_native_log.4.1.2.29819.etl.001 - Flush the active log sessions:To flush active log sessions to disk, use the following command:
C:\Program Files\Palo Alto Networks\Traps>cytool log flush Log session flushed to directory C:\ProgramData\Cyvera\Logs. - Convert the ETL file to a TMF file:To extract the encoded ETL file, Cytool uses the TMF file as a key. When the TMF file is not supplied, Cytool uses the default TMF file which is stored in the C:\ProgramData\Cyvera\Logs\ folder with the ETL files.To convert the existing trace log file to a readable text file, use the cytool log convert [etl_file [tmf_file]] command.This command is not supported on Windows XP SP3.
Manage Logging of Traps Components on Mac
On Mac endpoints, you can enable logging of
one or all processes. On Mac endpoints running OS X 10.10 and OSX
10.11, Cytool outputs the logs to the /var/log/traps.
On Mac endpoints running macOS 10.12, you can view logs from the
Console application.
- Open a terminal as an administrator and navigate to the Traps folder (see Access Cytool).
- Set the log level for a process:Use the cytool log <level> <process | all> command to set the log level of a component where:
- <level> is an integer value corresponding to the log level:
- 1—Fatal error. The application terminated. This is the highest priority.
- 2—Critical error. The application cannot continue to run successfully.
- 3—Error. An operation did not complete successfully, but the application as a whole is not affected.
- 4—Warning. An operation completed with an unexpected result.
- 5—Notice. Informational message with a higher priority.
- 6—Info. Informational message, usually denoting the successful completion of an operation.
- 7—Debug. Debugging message.
- 8—Trace. Tracing message. This is the message with the lowest priority.
- 0—Turn off logging.
- <process> is a Traps process on the Mac endpoint, or use all to set the log level for all processes.
For example:PANM2637HQ:bin jdoe$ sudo ./cytool log 2 all - To collect logs, use the cytool log collect command.