The thin agent is installed on the VM Guest OS and detects user logon details.
Log Path and Sample Message
The thin agent consists of GI drivers – vsepflt.sys, vnetwfp.sys (Windows 10 and later).
The thin agent logs are on the ESXi host, as part of the VCenter Log Bundle. The log path is /vmfs/volumes/<datastore>/<vmname>/vmware.log For example: /vmfs/volumes/5978d759-56c31014-53b6-1866abaace386/Windows10-(64-bit)/vmware.log
Thin agent messages follow the format of <timestamp> <VM Name><Process Name><[PID]>: <message>.
In the log example below Guest: vnet or Guest:vsep, indicate log messages related to the respective GI drivers, followed by debug messages.
2017-10-17T14:25:19.877Z| vcpu-0| I125: Guest: vnet: AUDIT: DriverEntry : vnetFilter build-4325502 loaded 2017-10-17T14:25:20.282Z| vcpu-0| I125: Guest: vsep: AUDIT: VFileSocketMgrConnectHelper : Mux is connected 2017-10-17T14:25:20.375Z| vcpu-0| I125: Guest: vsep: AUDIT: DriverEntry : vfileFilter build-4286645 loaded 2017-10-17T18:22:35.924Z| vcpu-0| I125: Guest: vsep: AUDIT: VFileSocketMgrConnectHelper : Mux is connected 2017-10-17T18:24:05.258Z| vcpu-0| I125: Guest: vsep: AUDIT: VFileFltPostOpCreate : File (\Windows\System32\Tasks\Microsoft\Windows\ SoftwareProtectionPlatform\SvcRestartTask) in a transaction, ignore
Enabling vShield Guest Introspection Thin Agent Driver Logging
Because the debug setting can flood the vmware.log file to the point that it throttles, we recommend you disable the debug mode as soon as you have collected all the required information.
This procedure requires you to modify the Windows registry. Before you modify the registry, ensure to take a backup of the registry. For more information on backing up and restoring the registry, see the Microsoft Knowledge Base article 136393.
To enable debug logging for the thin agent driver:
-
Click Start > Run. Enter regedit, and click OK. The Registry Editor window opens. For more information seen the Microsoft Knowledge Base article 256986.
- Create this key using the registry editor: HKEY_LOCAL_Machine\SYSTEM\CurrentControlSet\services\vsepflt\parameters.
- Under the newly created parameters key, create these DWORDs. Ensure that hexadecimal is selected when putting in these values:
Name: log_dest Type: DWORD Value: 0x2 Name: log_level Type: DWORD Value: 0x10
Other values for log level parameter key:
Audit 0x1 Error 0x2 Warn 0x4 Info 0x8 Debug 0x10
- Open a command prompt as an administrator. Run these commands to unload and reload the vShield Endpoint filesystem mini driver:
- fltmc unload vsepflt
- fltmc load vsepflt
You can find the log entries in the vmware.log file located in the virtual machine.
Enabling vShield GI Network Introspection Driver Logging
Because the debug setting can flood the vmware.log file to the point that it can make it to throttle, we recommend you disable the debug mode as soon as you have collected all the required information.
- Click Start > Run. Enter regedit, and click OK. The Registry Editor window opens. For more information seen the Microsoft Knowledge Base article 256986.
- Edit the registry:
Windows Registry Editor Version 5.0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vnetwfp\Parameters] "log_level" = DWORD: 0x0000001F "log_dest" = DWORD: 0x00000001
- Reboot the virtual machine.
vsepflt.sys Log File Location
With the log_dest registry settings DWORD: 0x00000001, the endpoint thin agent driver logs into the debugger. Run the debugger (DbgView from SysInternals or windbg) to capture the debug output.
Alternatively, you can set the log_dest registry setting to DWORD:0x000000002, in which case the driver logs will be printed to vmware.log file, which is located in the corresponding virtual machine folder on the ESXi Host.
Enabling UMC logging
The Endpoint Protection user-mode component (UMC) runs within the VMware Tools service in the protected virtual machine.
- On Windows XP and Windows Server 2003, create a tools config file if it doesn’t exist in the following path: C:\Documents and Settings\All Users\Application Data\VMware\VMware Tools\tools.conf.
- On Windows Vista, Windows 7 and Windows Server 2008, create a tools config file if it doesn’t exist in the following path: C:\ProgramData\VMWare\VMware Tools\tools.conf
- Add these lines in the tools.conf file to enable UMC component logging.
[logging] log = true vsep.level = debug vsep.handler = vmx
With the vsep.handler = vmx setting, the UMC component logs into the vmware.log file, which is located in the corresponding virtual machine folder on the ESXi host.
With the following setting logs, the UMC component logs will be printed in the specified log file.
vsep.handler = file vsep.data = c:/path/to/vsep.log