The EPSecLib receives events from the ESXi host ESX EPP Module (MUX).

Log Path and Sample Message

EPSecLib Log Path
/var/log/syslog

EPSecLib messages follow the format of <timestamp> <VM Name><Process Name><[PID]>: <message>

In the following example [ERROR] is the type of message and (EPSEC) represents the messages that are specific to Endpoint Protection.

For example: 
Oct 17 14:26:00 endpoint-virtual-machine EPSecTester[7203]: [NOTICE] (EPSEC)
 [7203] Initializing EPSec library build: build-00000
 
Oct 17 14:37:41 endpoint-virtual-machine EPSecSample: [ERROR] (EPSEC) [7533] Event 
terminated reading file. Ex: VFileGuestEventTerminated@tid=7533: Event id: 3554.

Collecting Logs

To enable debug logging for the EPSec library, which is a component inside EPP SVM:
  1. Work with the antivirus security vendor to enable console or SSH access to the SVM. Follow partner provided instructions to enable console or SSH access.
  2. Log in to the EPP SVM by obtaining the console password from NSX Manager.

  3. Create /etc/epseclib.conf file and add:

    ENABLE_DEBUG=TRUE

    ENABLE_SUPPORT=TRUE

    The debug logs can be found in /var/log/messages. Because the debug setting can flood the vmware.log file, disable the debug mode as soon as you have collected all the required information.

  4. Change permissions by running the chmod 644 /etc/epseclib.conf command.
  5. Work with the antivirus partner to extract logs generated for the SVM.