The EPSecLib receives events from the ESXi host NSX Guest Introspection Platform Host Agent (MUX).

Log Path and Sample Message

EPSecLib Log Path
/var/log/syslog

EPSecLib messages follow the format of <timestamp> <VM Name><Process Name><[PID]>: <message>

In the following example [ERROR] is the type of message and (EPSEC) represents the messages that are specific to any functionality that uses NSX Guest Introspection Platform.

For example: 
Oct 17 14:26:00 endpoint-virtual-machine EPSecTester[7203]: [NOTICE] (EPSEC)
 [7203] Initializing EPSec library build: build-00000
 
Oct 17 14:37:41 endpoint-virtual-machine EPSecSample: [ERROR] (EPSEC) [7533] Event 
terminated reading file. Ex: VFileGuestEventTerminated@tid=7533: Event id: 3554.

Collecting Logs

To enable debug logging for the EPSec library, which is a component inside any service that uses NSX Guest Introspection Platform:
  1. Work with the anti-virus or NSX Malware Prevention security vendor to enable console or SSH access to the SVM. Follow partner provided instructions to enable console or SSH access.
  2. Log in to the EPP or NSX Malware Prevention SVM by obtaining the console password from NSX Manager.

  3. Create /etc/epseclib.conf file and add:

    ENABLE_DEBUG=TRUE

    ENABLE_SUPPORT=TRUE

    The debug logs can be found in (RHEL/SLES/CentOS) /var/log/messages or (Ubuntu) /var/log/syslog . Because the debug setting can flood the /var/log file, disable the debug mode as soon as you have collected all the required information.

  4. Change permissions by running the chmod 644 /etc/epseclib.conf command.
  5. Work with the anti-virus or NSX Malware Prevention partner to extract logs generated for the SVM.
  6. For NSX Malware Prevention, configure the Security Hub VM to enable EPSecLib.