Troubleshooting: How to gather information for support
- Updated On 04 Jan 2021
- 4 Minutes To Read
-
Print
-
DarkLight
This article will go over the information needed by the SecureCircle support team when filing an issue regarding the endpoint software.
Windows
Switching logs to Debug level
- With versions 2.10+, you can now change log levels by using an administrative CMD prompt and typing the following;
- fhtools --log_level=debug
- The variable after log_level= can be any of the following, though generally debug is preferred for troubleshooting while information is the default installed setting; none (turns off logging) ; fatal ; critical ; error ; warning ; notice ; information ; debug ; trace
- This change does not require the restart of the agent.
- If you need to change logging levels manually please navigate to Changing log levels for the SecureCircle Endpoint Client and follow the guide
SecureCircle log locations
The SecureCircle agent logs are located in the following directories:- %LOCALAPPDATA%\SecureCircle\logs
- fhoutlook.log
- fhshellext.log
- fhuser.log
- install.log
- %SYSTEMROOT%\System32\config\systemprofile\AppData\Local\SecureCircle\logs
- fhagent.log
The logs in the systemprofile folder require administrative access.
In some cases where the administrator performed the installation on an endpoint, the %LOCALAPPDATA% may be missing some log files, which will be found in the AppData folder for the administrative account that performed the installation
Event Log location
If possible please include the Windows system event logs. They are located in:
- %SYSTEMROOT%\System32\winevt\Logs
Memory dump locations
System memory dumps can be found in:
- %SYSTEMROOT%\Memory.dmp
- %SYSTEMROOT%\Minidump
Application memory dumps can be found in: - 32-bit Systems: %PROGRAMFILES%\SecureCircle
- 64-bit Systems: %PROGRAMFILES(X86)%\SecureCircle
Generate a memory dump
Login as an administrative user.
Paste the following code into a PowerShell console. It will do the following:
- Write a registry script CrashOnCtrlScroll.reg to your current directory that changes the following settings:
Enable memory dumps
Allow forcing a system crash from the keyboard by holding the rightmost CTRL key and pressing SCROLL LOCK twice.
The CrashDumpEnabled value can be set depending on the required dump type. In this example, it is set for a complete memory dump
CrashOnCtrlScoll.reg@'
Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl]
"CrashDumpEnabled"=dword:00000001[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\kbdhid\Parameters]
"CrashOnCtrlScroll"=dword:00000001[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\i8042prt\Parameters]
"CrashOnCtrlScroll"=dword:00000001
'@ | Tee-Object CrashOnCtrlScroll.reg
- Write a registry script CrashOnCtrlScroll.reg to your current directory that changes the following settings:
Run the resulting .reg file to import the settings into your registry.
Restart the system and attempt to reproduce the previously seen issue.
If the issue is with the SecureCircle driver and a blue screen appears, a memory dump will be generated.
If the issue is with other portions of the SecureCircle software, the system may need to be manually forced to blue screen with the following key combination:
Right Control + 2x Scroll Lock
(hold right Control and press Scroll Lock two times)The resulting memory dump will be located at &SYSTEMROOT%\MEMORY.DMP.
More information on this process can be found on the Microsoft knowledge base.
Gather general system information with msinfo32
msinfo32 displays a comprehensive view of your hardware, system components, and software environment.
- Start > Run > msinfo32
- File > Export
macOS
Switching logs to Debug level
With versions 2.10+, you can now change log levels by using a Terminal prompt and typing the following;
- fhtools --log_level=debug
- The variable after log_level= can be any of the following, though generally debug is preferred for troubleshooting while information is the default installed setting; none (turns off logging) ; fatal ; critical ; error ; warning ; notice ; information ; debug ; trace
- This change does not require the restart of the agent and driver.
If you need to make this change manually the configuration file can be located here /usr/local/fhfs/bin/fhagent.ini. At the very bottom of the file, you will see an entry level=information. Change this to level=debug.
Once this is done, you will need to restart agent and driver using the following Terminal commands.
Restart Agent and Driver sudo /usr/local/fhfs/bin/scripts/fhloader.sh unload agent
sudo /usr/local/fhfs/bin/scripts/fhloader.sh unload driver
sudo /usr/local/fhfs/bin/scripts/fhloader.sh load driver
sudo /usr/local/fhfs/bin/scripts/fhloader.sh load agent
Monitoring logs in real time
Use one of these commands
Monitor Logs |
log stream --style compact --info --debug --predicate 'type == "logEvent" && ((process == "kernel" and eventMessage CONTAINS "fhdriver") OR process == "fhagent" OR process == "SecureCircle")' |
Saving Logs in File
Savings Log |
SAVE ONLY SECURE CIRCLE RELATED EVENTS -------------------------------------- log show --last 1h --info --debug --predicate 'type == "logEvent" && ((process == "kernel" and eventMessage CONTAINS "fhdriver") OR process == "fhagent" OR process == "SecureCircle")' > securecircle_only_events.log SAVE ALL SYSTEM EVENTS, INCLUDING SECURE CIRCLE ----------------------------------------------- log show --last 1h --info --debug > securecircle_all_events.log *NOTE - "--last 1h" can be adjusted to capture more than the last hour of events |
Generate a dump using sysdiagnose
sysdiagnose gathers system-wide diagnostic information helpful in investigating system performance issues.
What sysdiagnose Collects:
- A spindump of the system
- Several seconds of fs_usage ouput
- Several seconds of top output
- Data about kernel zones
- Status of loaded kernel extensions
- Resident memory usage of user processes
- All system logs, kernel logs, opendirectory log, windowserver log, and log of power management events
- A System Profiler report
- All spin and crash reports
- Disk usage information
- I/O Kit registry information
- Network status
To run sysdiagnose do the following:
- Enable Thorough Mode to allow sysdiagnose to generate a kernel trace.
- Open a Terminal and run:
touch /var/tmp/.thoroughsysdiagnose
- Open a Terminal and run:
- Request a sysdiagnose package from the system by pressing the following keys all at once:
Shift ⇧ + Control + Option + Command ⌘ + Period .- The screen will flash as if you are taking a screenshot.
- It may take seconds to minutes for the archive to be generated.
- Once finished a Finder window will open in the directory /private/var/tmp.
- The filename will be sysdiagnose_YYYY.MM.DD-X...Y.tar.gz
More information on sysdiagnose can be found in the system man pages (man sysdiagnose)
Linux
Service Status check
Service status |
systemctl status fhagent |
Driver Status check
Service status |
lsmod | grep fhfs |
Agent logs
logs |
journalctl -a -ufhagent |
Driver logs
logs |
journalctl -ak | grep fhfs |