How-to Articles Troubleshooting
Troubleshooting: How to gather information for support
  • 04 Jan 2021
  • 4 Minutes To Read
  • Print
  • Share
  • Dark
    Light
Contents
x

Troubleshooting: How to gather information for support

  • Updated On 04 Jan 2021
  • 4 Minutes To Read
  • Print
  • Share
  • Dark
    Light

This article will go over the information needed by the SecureCircle support team when filing an issue regarding the endpoint software.

Windows

Switching logs to Debug level

  • With versions 2.10+, you can now change log levels by using an administrative CMD prompt and typing the following;
    • fhtools --log_level=debug
    • The variable after log_level= can be any of the following, though generally debug is preferred for troubleshooting while information is the default installed setting; none (turns off logging) ; fatal ; critical ; error ; warning ; notice ; information ; debug ; trace
    • This change does not require the restart of the agent.
  • If you need to change logging levels manually please navigate to Changing log levels for the SecureCircle Endpoint Client and follow the guide

SecureCircle log locations

The SecureCircle agent logs are located in the following directories:
  • %LOCALAPPDATA%\SecureCircle\logs
    • fhoutlook.log
    • fhshellext.log
    • fhuser.log
    • install.log
  • %SYSTEMROOT%\System32\config\systemprofile\AppData\Local\SecureCircle\logs
    • fhagent.log


The logs in the systemprofile folder require administrative access.

In some cases where the administrator performed the installation on an endpoint, the %LOCALAPPDATA% may be missing some log files, which will be found in the AppData folder for the administrative account that performed the installation

Event Log location

If possible please include the Windows system event logs. They are located in:

  • %SYSTEMROOT%\System32\winevt\Logs

Memory dump locations

System memory dumps can be found in:

  • %SYSTEMROOT%\Memory.dmp
  • %SYSTEMROOT%\Minidump
    Application memory dumps can be found in:
  • 32-bit Systems: %PROGRAMFILES%\SecureCircle
  • 64-bit Systems: %PROGRAMFILES(X86)%\SecureCircle

Generate a memory dump

  • Login as an administrative user.

  • Paste the following code into a PowerShell console. It will do the following:

    • Write a registry script CrashOnCtrlScroll.reg to your current directory that changes the following settings:

      • Enable memory dumps

      • Allow forcing a system crash from the keyboard by holding the rightmost CTRL key and pressing SCROLL LOCK twice.

      • The CrashDumpEnabled value can be set depending on the required dump type. In this example, it is set for a complete memory dump

        CrashOnCtrlScoll.reg


        @'
        Windows Registry Editor Version 5.00

        [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl]
        "CrashDumpEnabled"=dword:00000001

        [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\kbdhid\Parameters]
        "CrashOnCtrlScroll"=dword:00000001

        [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\i8042prt\Parameters]
        "CrashOnCtrlScroll"=dword:00000001
        '@ | Tee-Object CrashOnCtrlScroll.reg


  • Run the resulting .reg file to import the settings into your registry.

  • Restart the system and attempt to reproduce the previously seen issue.

  • If the issue is with the SecureCircle driver and a blue screen appears, a memory dump will be generated.

  • If the issue is with other portions of the SecureCircle software, the system may need to be manually forced to blue screen with the following key combination:
    Right Control + 2x Scroll Lock
    (hold right Control and press Scroll Lock two times)

  • The resulting memory dump will be located at &SYSTEMROOT%\MEMORY.DMP.
    More information on this process can be found on the Microsoft knowledge base.

Gather general system information with msinfo32

msinfo32 displays a comprehensive view of your hardware, system components, and software environment.

  • Start > Run > msinfo32
  • File > Export

macOS

Switching logs to Debug level

  • With versions 2.10+, you can now change log levels by using a Terminal prompt and typing the following;

    • fhtools --log_level=debug
    • The variable after log_level= can be any of the following, though generally debug is preferred for troubleshooting while information is the default installed setting; none (turns off logging) ; fatal ; critical ; error ; warning ; notice ; information ; debug ; trace
    • This change does not require the restart of the agent and driver.

  • If you need to make this change manually the configuration file can be located here /usr/local/fhfs/bin/fhagent.ini. At the very bottom of the file, you will see an entry level=information. Change this to level=debug.

  • Once this is done, you will need to restart agent and driver using the following Terminal commands.

    Restart Agent and Driver
    sudo /usr/local/fhfs/bin/scripts/fhloader.sh unload agent
    sudo /usr/local/fhfs/bin/scripts/fhloader.sh unload driver
    sudo /usr/local/fhfs/bin/scripts/fhloader.sh load driver
    sudo /usr/local/fhfs/bin/scripts/fhloader.sh load agent

Monitoring logs in real time

Use one of these commands

Monitor Logs
log stream --style compact --info --debug --predicate 'type == "logEvent" && ((process == "kernel" and eventMessage CONTAINS "fhdriver") OR process == "fhagent" OR process == "SecureCircle")'

Saving Logs in File

Savings Log
SAVE ONLY SECURE CIRCLE RELATED EVENTS
--------------------------------------
log show --last 1h --info --debug --predicate 'type == "logEvent" && ((process == "kernel" and eventMessage CONTAINS "fhdriver") OR process == "fhagent" OR process == "SecureCircle")' > securecircle_only_events.log
 
 
SAVE ALL SYSTEM EVENTS, INCLUDING SECURE CIRCLE
-----------------------------------------------
log show --last 1h --info --debug > securecircle_all_events.log
 
*NOTE - "--last 1h" can be adjusted to capture more than the last hour of events

Generate a dump using sysdiagnose

sysdiagnose gathers system-wide diagnostic information helpful in investigating system performance issues.

What sysdiagnose Collects:

  • A spindump of the system
  • Several seconds of fs_usage ouput
  • Several seconds of top output
  • Data about kernel zones
  • Status of loaded kernel extensions
  • Resident memory usage of user processes
  • All system logs, kernel logs, opendirectory log, windowserver log, and log of power management events
  • A System Profiler report
  • All spin and crash reports
  • Disk usage information
  • I/O Kit registry information
  • Network status

To run sysdiagnose do the following:

  • Enable Thorough Mode to allow sysdiagnose to generate a kernel trace.
    • Open a Terminal and run:
      touch /var/tmp/.thoroughsysdiagnose
  • Request a sysdiagnose package from the system by pressing the following keys all at once:
    Shift ⇧ + Control + Option + Command ⌘ + Period .
    • The screen will flash as if you are taking a screenshot.
  • It may take seconds to minutes for the archive to be generated.
  • Once finished a Finder window will open in the directory /private/var/tmp.
  • The filename will be sysdiagnose_YYYY.MM.DD-X...Y.tar.gz

More information on sysdiagnose can be found in the system man pages (man sysdiagnose)

Linux

Service Status check

Service status

systemctl status fhagent

Driver Status check

Service status

lsmod | grep fhfs

Agent logs

logs

journalctl -a -ufhagent

Driver logs

logs

journalctl -ak | grep fhfs

Was This Article Helpful?
SecureCircle delivers a SaaS-based cybersecurity service that extends Zero Trust security to data on the endpoint. At SecureCircle, we believe frictionless data security drives business value for our customers. Instead of relying on complex reactive measures, we simply secure data persistently in transit, at rest, and even in use. End users operate without obstacles, while data is continuously secured against breaches and insider threats.
Company
Collateral
Resources
Support
Connect With Us
Sales
Copyright © 2021 SecureCircle LLC. All Rights Reserved
Change password!