Manage Logging of Traps Components Using Cytool
Manage Logging of Traps Components on Windows
Using Cytool, you can start, stop, or flush the logging of Traps drivers and services. This enables you to troubleshoot one or more components and log errors, warnings, or information to a log file which you can then view using the Windows Event Viewer. You can also specify the maximum file size of the log, in MB. On Windows endpoints, Cytool outputs the ETL trace logs to the
- Open a command prompt as an administrator and navigate to the Traps folder (see Access Cytool).
- To start logging, use thecytool log startcommand where<log size>is the size in MB (a maximum of 25MB).<log size>The following example displays output for using cytool to start logging with a maximum file size of 20 MB.C:\Program Files\Palo Alto Networks\Traps>cytool log start 20The operation was successful.Cytool creates a log file and begins logging in ETL format.
- Set the minimum log level for one or more components:Use thecytool log set <component> <level> [flags]command to set the minimum log level of a component where:
For example, to consume logs for the cyvrfsfd component with the INFO severity and above with the flag 0x7FFFFFFF:C:\Program Files\Palo Alto Networks\Traps>cytool log set cyvrfsfd INFO 0x7FFFFFFFThe operation was successful.
- <component>isall—meaning set the log level for all components—or one of the following individual components:cyvrlpc,cyvrfsfd,cyverak,cyvrmtgn,cyreport,cyserver,cyapi,cylnk,cyrprtui,cytray,tlaservice,tlaworker,tlacore,cytool,cyverau,cyinjct,cyvrtrap,cyvera,ntnativeapi,winutils,panwd
- <level>is one of the following log levels:NONE,CRITICAL,ERROR,WARNING,INFO,VERBOSE,DEBUG,ALL
- [flags]is the mask (hex) of one or more trace flags (a maximum of 31) separated by spaces that Traps assigns to each trace when a program runs on the endpoint (for example0x7FFFFFFF, or0x5). The trace flag is a property of a trace provider, in this case Traps, and determines which events Traps generates. You can use the trace flag to filter events that Traps traces.
- Stop active log sessions:To stop logging, use thecytool log stop:After you stop logging, Cytool indicates the path and name of the log file.C:\Program Files\Palo Alto Networks\Traps>cytool log stopLog file created at C:\ProgramData\Cyvera\Logs\Traps_native_log.18.104.22.168819.etl.001
- Flush the active log sessions:To flush active log sessions to disk, use the following command:C:\Program Files\Palo Alto Networks\Traps>cytool log flushLog session flushed to directory C:\ProgramData\Cyvera\Logs.
- Convert the ETL file to a TMF file:To extract the encoded ETL file, Cytool uses the TMF file as a key. When the TMF file is not supplied, Cytool uses the default TMF file which is stored in theC:\ProgramData\Cyvera\Logs\folder with the ETL files.To convert the existing trace log file to a readable text file, use thecytool log convert [etl_file [tmf_file]]command.This command is not supported on Windows XP SP3.
Manage Logging of Traps Components on Mac
On Mac endpoints, you can enable logging of one or all processes. On Mac endpoints running OS X 10.10 and OSX 10.11, Cytool outputs the logs to the
/var/log/traps. On Mac endpoints running macOS 10.12, you can view logs from the Console application.
- Open a terminal as an administrator and navigate to the Traps folder (see Access Cytool).
- Set the log level for a process:Use thecytool log <level> <process | all>command to set the log level of a component where:
For example:PANM2637HQ:bin jdoe$sudo ./cytool log 2 all
- <level>is an integer value corresponding to the log level:
- 1—Fatal error. The application terminated. This is the highest priority.
- 2—Critical error. The application cannot continue to run successfully.
- 3—Error. An operation did not complete successfully, but the application as a whole is not affected.
- 4—Warning. An operation completed with an unexpected result.
- 5—Notice. Informational message with a higher priority.
- 6—Info. Informational message, usually denoting the successful completion of an operation.
- 7—Debug. Debugging message.
- 8—Trace. Tracing message. This is the message with the lowest priority.
- 0—Turn off logging.
- <process>is a Traps process on the Mac endpoint, or useallto set the log level for all processes.
- To collect logs, use thecytool log collectcommand.