2 Replies Latest reply on May 15, 2012 4:30 AM by dmease729

    Should daily logs always be present?




      We have 2 x 3100 and 4 x 2100 appliances, and the 3100 also act as scan engines.  Scans are only run once a month, and obviously the daily logs fill up nicely!  I am wondering if there is any documentation that details what actually goes into a daily log by default (ie without any registry tweaks) - the main reason I ask is that I am aware that when scans are running the daily logs fill up, when there are certain errors, the daily logs is populated, when you log into the GUI, the logs on the 3100 are populated - the wierd thing is that sometimes (seemingly randomly), the appliances seem to enumerate the component versions and write this to the daily log file.  This would be fine, but there doesnt appear to be a constant schedule for this.


      As a troubleshooting tool, we have a script that simply checks for the presence of daily logs, and if daily logs havent appeared for X days, an alert is sent so we can investigate.  I am trying to determine a reasonable value for X so we dont get spammed with alerts.


      Any help appreciated!



        • 1. Re: Should daily logs always be present?

          Hi Darren,


          it's possible that on a scan engine only system (no scan controller) that you will not see any logs present until/unless there is either:

          1) Scanning occuring

          2) Service(s) Restarts (Scan Engine, or Log Services)


          The log entries you refer to happening on your MVM3000 could be for other services like:
          API Server

          Scan Controller

          Notification (if enabled)



          It's not necessarily going to be a good measure to monitor the logs on your 2100's.  Can you Monitor Services instead? 


          But to your original question.  No there isn't any documentation around it.  Quick synopsis for you:


          LogToDiskSvc messages are logged whenever the following Services are started, or invoked (present on all MVM Systems):




          FSAPI messages are on the MVM System where the API Server is running.  That logs Login Attempts and Portal Actions.


          FSScanCtrl, ResultProcessor messages are on the MVM System where the ScanController service is running.  That logs Scan Start times and ScanEngine<-> Scan Controller communication.


          FSNotification are notification events on the Notification Server.


          ScanEngineSvc, ScanEngine, Discovery, Assessment, WebScanModule, FASLModule, WebFASLModule, WindowsModule, ShellModule, WirelessModule, are all messages that can appear on the system where the Scan Engine is running.


          I hope that helps a bit.


          • 2. Re: Should daily logs always be present?

            Cheers Cathy,


            Very verbose answer indeed, great stuff!