5 Replies Latest reply on Apr 9, 2012 10:14 AM by Kary Tankink

    HIPS Activity log size

    syd

      I have been troubleshooting HIPS clients back and forth at several sites we have. I kept getting frustrated at the size of the HIPS Activity log as it was averaging more the 100 meg on each client. I researched the McAfee knowledge base and found several good links on how to adjust the size of this log under the HIPS General category on our ePO servers. The setting on the server(s) is at "1" which is supposed to equate to 1 megabyte right? Even with this setting at "1" the logs are still over 100 meg in size. Is there something else I'm missing? It can be frustrating when troubleshooting, especially if using trace32 as it takes forever before the logs will open.

      Syd

        • 1. Re: HIPS Activity log size
          Kary Tankink

          Which exact file are you seeing over 100mb?  The Activity log reads from the raw data event.log file.  This file should be no larger than the file size set in the HIPS General Client UI policy (Troubleshooting tab).  Other HIPS log files will be up to 100-125mb each (especially if the system has Host IPS debug logging enabled.

          • 2. Re: HIPS Activity log size
            syd

            The log is: c:\programdata\McAfee\Host Intrusion Prevention\HipShield.log. Judging from your response, maybe this is not the log which is referenced in the Client UI settings then. In any case, assuming this is a different animal, is there a way to modify settings for the above log to have it rotate at smaller sizes?

             

            Thanks for your response!

            • 3. Re: HIPS Activity log size
              Kary Tankink

              Correct, the hipshield.log file is not the HIPS Client UI Activity log.  The hipshield.log file will grow up to 125mb (when client logging is enabled; disabled by default).  You can modify the (other) HIPS logs via the below KB article.

               

              KB51517 - Host Intrusion Prevention 7.0 agent logging and troubleshooting on Microsoft Windows

              • 4. Re: HIPS Activity log size
                syd

                Thanks Kary, now that's more like it! This I can deal with. Not wanting to push my luck, but since these keys don't come out the box loaded in the registry and have to be inserted I was wondering if there may be a way to have them installed with the settings we would like at initial installation from a client task. Is there a switch that can be used for this? Since IPS needs to be disabled on a HIPS client prior to modifying this registry point, I don't see SCCM or a GPO doing this. Just asking...

                 

                Thanks again,

                 

                Syd

                • 5. Re: HIPS Activity log size
                  Kary Tankink
                  I was wondering if there may be a way to have them installed with the settings we would like at initial installation from a client task. Is there a switch that can be used for this?

                  Sorry, no, these registry keys would have to be done outside of client deployment.