Diagnostic logging is helpful information that can be used by Microsoft support technicians to help troubleshoot problems that are occurring while Forefront Security Management Console (FSSMC) is not working properly. To accurately diagnose a problem, support engineers typically need a variety of information about FSSMC and the Forefront servers it is managing.

This information consists of diagnostic logs, third-party scan engine updates, registry settings and deployment agent information, among other things.

 

 Gathering this information is a major effort that can hinder the troubleshooting process.

To make it easier for you to collect this information, the FSSMC tool (FSSMC Diagnostics) automates the process, assembling all the necessary data in one file that can then be uploaded to Microsoft. When you contact Microsoft support, you will be told where to upload the file.

 

Information Collected on the FSSMC Server

 

After installing FSSMC, there will be 4 shortcuts created in the Start menu under Microsoft Forefront Server Management Console Diagnostics. They are “Clear Forefront log”, “Disable Forefront log”, “Enable Forefront log” and “Forefront Diagnostic”. If you click on one of these shortcuts, a pop-up DOS window will appear that shows the progress of the tool.

 

FSSMC Diagnostic Shortcuts:

 

Forefront Diagnostic: Collects diagnostic information from the FSSMC server. When the program finishes, it creates a zip file named SEMInfo.zip that includes the files listed below. The SEMInfo.zip file is placed in the Microsoft Forefront Security\Server\Server Management\Diagnostics folder.

Enable Forefront log: Turns on the Forefront log by setting the value of “TraceEventLog” registry to 1.

Disable Forefront log: Turns off the Forefront log by setting the value of “TraceEventLog” registry to 0.

Clear Forefront log: Removes all Forefront logs except the logs in SEMInfo.zip.

 

SEMInfo.zip:

This compressed file contains the following files – unless otherwise stated, these logs are generated by the diagnostics utility.

 

·     COM+_Users.txt: Collects all users associated with the following COM+ FSSMC services:

          Microsoft.SEM.Services

          Microsoft.SEM.NotificationSender

  • GeneralInfo.txt: Provides general information on FSSMC and the system, such as operating system version, FSSMC version, SQL version, Global Assembly Cache.
  • NetShare.txt: Contains the output of “Net Share”.
  • Registry_Software.txt: Collects the FSSMC registry
  • Registry_System.txt: Collects the system registry
  • EventLog_Application: Collects the Application Event Log in .evt format
  • EventLog_Security: Collects the Security Event Log in .evt format
  • EventLog_System: Collects the System Event Log in .evt format
  • DirPermission.txt: Contains access permission information for the directories that FSSMC requires access to.
  • IISInfo.txt: Contains IIS information such as Semconsole path, AppRoot etc.
  • LocalPolicy.inf: Exports User logon rights and privileges to the file.
  • FSSMCInstall.log if it exists. This log exists under system root path and contains FSSMC installation information.

·         Microsoft.FSSMC.installationhelper.InstallLog If it exists, this log is located under the Microsoft Forefront Security\Server\Server Management\Install folder. Provides logging of the .Net installation/registration.

  • FSSMCLog.txt if it exists. This log exists under “Microsoft Forefront Security\Server\Server Management\LogFiles” subfolder of the All User’s “Application Data” path. Provides diagnostic logging for FSSMC. Similar to the Programlog.txt in the Forefront Server products.
  • RedistributionAgent.txt If it exists, this log contains FSS signature update information and is located under “Microsoft Forefront Security\Server\Server Management\LogFiles” subfolder of the All User’s “Application Data” path.
  • SchedulerService.txt: Contains FSSMC scheduled job information. This log exists under “Microsoft Forefront Security\Server\Server Management\LogFiles” subfolder of the All User’s “Application Data” path.
  • LastGood.xml If it exists, this log is located under “Program Files\Microsoft Forefront Security\Server\Server Management\Services\” path. Contains last good engine update information.

·         dirtree.txt: This log generated by this tool. Logs the dir tree under the \\Redistribution\\Cache directory to this file.

·         DownloadEngineFiles.txt If it exists, this log is located under “Documents and Settings\All Users\Application Data\Microsoft Forefront Security\Server\Server Management\LogFiles” path. Provides logging from the DownloadEngineFiles module which downloads all scan engine updates.

·         DeploymentAgent.txt Provides logging for the deploymentagent module.

·         BootStrapper.txt Provides logging from bootstrapper module used  during the installation.

 

Information Collected on the Forefront Server Security Server

 

After deploying an agent to the FSE/FSSP managed server, 4 shortcuts will be created in the Start menu under Microsoft Forefront Server Management Console Remote Diagnostics\Forefront remote log generator\. They are “Clear Forefront log”, “Disable Forefront log”, “Enable Forefront log” and “Forefront Diagnostic”. If you click on one of these shortcuts, a pop-up DOS window will appear that shows the progress of the tool.

 

FSE Diagnostic Shortcuts:

 

Forefront Diagnostic: Collects diagnostic information from the FSSMC server. When the program finishes, it creates a zip file named SEMInfo.zip that includes the files listed below. The SEMInfo.zip file is placed in the Microsoft\FSSMC DeploymentAgent-number folder.

Enable Forefront log: Turns on the Forefront log by setting the value of “TraceEventLog” registry to 1.

Disable Forefront log: Turns off the Forefront log by setting the value of “TraceEventLog” registry to 0.

Clear Forefront log: Removes all Forefront logs except the logs in SEMInfo.zip.

 

SEMInfo_Remote.zip:

This compressed file contains the following files – unless otherwise stated, these logs are generated by the diagnostics utility.

 

  • EventLog_Application: Collects the Application Event Log in .evt format
  • EventLog_Security: Collects the Security Event Log in .evt format
  • EventLog_System: Collects the System Event Log in .evt format
  • ForefrontInstall.log If it exists, this log is located under system root path.
  • SybariCacheDirInfo.txt: Contains all files and sub-directories’ name in C:\WINDOWS\Temp\SybariCache directory.
  • Registry_Software.txt:
  • GeneralInfo.txt: Provides general system and FSSMC/FSS related information such as OS version, Antigen Statistics Service status, FSSMC Deployment account privilege.
  • DeploymentAgent.txt: Contains agent deployment related information. This log exists under “Microsoft Forefront Security\Server\Server Management\LogFiles” subfolder of the All User’s “Application Data” path.
  • FSCStatsServ.txt: Contains information about the FSS calls FSCStatisticsService service to update statistics data. This log exists under “Microsoft Forefront Security\Server\Server Management\LogFiles” subfolder of the All User’s “Application Data” path. Provides logging information for the Statistics module. This module processes the statistics information from FSS
  • PushInstaller.txt: Contains information about PushInstaller service process which is used in the progress of agent deployment. This log exists under “Microsoft Forefront Security\Server\Server Management\LogFiles” subfolder of the All User’s “Application Data” path.
  • StatisticsManagerServer.txt: Contains information about updating statistics data for FSSMC to use. This log exists under “Microsoft Forefront Security\Server\Server Management\LogFiles” subfolder of the All User’s “Application Data” path.
  • HRLog.txt: This log exists under “Microsoft Forefront Security\Exchange Server\Data” folder.
  • ProgramLog.txt: This log exists under “Microsoft Forefront Security\Exchange Server\Data” folder.

·         AEXMLAdapter.txt Provides logging for the aexmladapter module.

·         StatisticsManagerClient.txt Provides logging for the statistics service module.

 

 

Collecting diagnostic data

To collect the diagnostic data to upload to Microsoft for troubleshooting:

 

1.       On the FSSMC server, click the Enable Forefront Log shortcut to enable diagnostic logging.

2.       From FSSMC, deploy an Agent to the FSS server.

3.       On the FSS server, click the Enable Forefront Log shortcut to enable diagnostic logging.

4.       Reproduce the issue.

5.       On the FSSMC server, click the Forefront Diagnostic shortcut to collect the diagnostic logs (SEMInfo.zip).

6.       On the FSS server, click the Forefront Diagnostic shortcut to collect the diagnostic logs (SEMInfo_Remote.zip).

7.       Upload the two compressed files to Microsoft.

 

 

 

Holly Kipp

Microsoft CSS Security Senior Support Engineer