The thin agent is installed on the VM Guest OS and detects user logon details.

Log Path and Sample Message

The thin agent consists of GI drivers – vsepflt.sys, vnetflt.sys, vnetwfp.sys (Windows 10 and later).

The thin agent logs are on the ESXi host, as part of the VCenter Log Bundle. The log path is /vmfs/volumes/<datastore>/<vmname>/vmware.log For example: /vmfs/volumes/5978d759-56c31014-53b6-1866abaace386/Windows10-(64-bit)/vmware.log

Thin agent messages follow the format of <timestamp> <VM Name><Process Name><[PID]>: <message>.

In the log example below Guest: vnet or Guest:vsep, indicate log messages related to the respective GI drivers, followed by debug messages.

For example:

2017-10-17T14:25:19.877Z| vcpu-0| I125: Guest: vnet: AUDIT: DriverEntry :
 vnetFilter build-4325502 loaded
2017-10-17T14:25:20.282Z| vcpu-0| I125: Guest: vsep: 
AUDIT: VFileSocketMgrConnectHelper : Mux is connected
2017-10-17T14:25:20.375Z| vcpu-0| I125: 
Guest: vsep: AUDIT: DriverEntry : vfileFilter build-4286645 loaded
 
2017-10-17T18:22:35.924Z| vcpu-0| I125: Guest: vsep: AUDIT: 
VFileSocketMgrConnectHelper : Mux is connected
2017-10-17T18:24:05.258Z| vcpu-0| I125: Guest: vsep: AUDIT: 
VFileFltPostOpCreate : File (\Windows\System32\Tasks\Microsoft\Windows\
SoftwareProtectionPlatform\SvcRestartTask) in a transaction, ignore
 

Enabling vShield Guest Introspection Thin Agent Driver Logging

Because the debug setting can flood the vmware.log file to the point that it throttles, we recommend you disable the debug mode as soon as you have collected all the required information.

This procedure requires you to modify the Windows registry. Before you modify the registry, ensure to take a backup of the registry. For more information on backing up and restoring the registry, see the Microsoft Knowledge Base article 136393.

To enable debug logging for the thin agent driver:

  1. Click Start > Run. Enter regedit, and click OK. The Registry Editor window opens. For more information seen the Microsoft Knowledge Base article 256986.

  2. Create this key using the registry editor: HKEY_LOCAL_Machine\SYSTEM\CurrentControlSet\services\vsepflt\parameters.

  3. Under the newly created parameters key, create these DWORDs. Ensure that hexadecimal is selected when putting in these values:

    Name: log_dest
    Type: DWORD
    Value: 0x2
    
    Name: log_level
    Type: DWORD
    Value: 0x10

    Other values for log level parameter key:

    Audit 0x1
    Error 0x2
    Warn 0x4
    Info 0x8
    Debug 0x10
  4. Open a command prompt as an administrator. Run these commands to unload and reload the vShield Endpoint filesystem mini driver:

    • fltmc unload vsepflt

    • fltmc load vsepflt

    You can find the log entries in the vmware.log file located in the virtual machine.

Enabling vShield GI Network Introspection Driver Logging

Because the debug setting can flood the vmware.log file to the point that it can make it to throttle, we recommend you disable the debug mode as soon as you have collected all the required information.

This procedure requires you to modify the Windows registry. Before you modify the registry, ensure to take a backup of the registry. For more information on backing up and restoring the registry, see the Microsoft Knowledge Base article 136393.

  1. Click Start > Run. Enter regedit, and click OK. The Registry Editor window opens. For more information seen the Microsoft Knowledge Base article 256986.

  2. Edit the registry:

    Windows Registry Editor Version 5.0 
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vnetflt\Parameters] 
    "log_level" = DWORD: 0x0000001F
    "log_dest"  = DWORD: 0x00000001 
  3. Reboot the virtual machine.

vsepflt.sys and vnetflt.sys Log File Location

With the log_dest registry settings DWORD: 0x00000001, the Endpoint thin agent driver logs into the debugger. Run the debugger (DbgView from SysInternals or windbg) to capture the debug output.

Alternatively you can set the log_dest registry setting to DWORD:0x000000002, in which case the driver logs will be printed to vmware.log file, which is located in the corresponding virtual machine folder on the ESXi Host.

Enabling UMC logging

The Guest Introspection user-mode component (UMC) runs within the VMware Tools service in the protected virtual machine.

  1. On Windows XP and Windows Server 2003, create a tools config file if it doesn’t exist in the following path: C:\Documents and Settings\All Users\Application Data\VMware\VMware Tools\tools.conf.

  2. On Windows Vista, Windows 7 and Windows Server 2008, create a tools config file if it doesn’t exist in the following path: C:\ProgramData\VMWare\VMware Tools\tools.conf

  3. Add these lines in the tools.conf file to enable UMC component logging.

    [logging]
    log = true
    vsep.level = debug
    vsep.handler = vmx

    With the vsep.handler = vmx setting, the UMC component logs into the vmware.log file, which is located in the corresponding virtual machine folder on the ESXi host.

    With the following setting logs, the UMC component logs will be printed in the specified log file.

    vsep.handler = file
    vsep.data = c:/path/to/vsep.log