Endpoint Analysis Tool - Settings
In this section:
Enable Endpoint Analysis Logging
There are two ways to enable logging:
-
From the Environment Manager console, open the policy configuration required. From the menu ribbon select the Manage tab > Endpoint Analysis button:
-
Endpoint logging can be enabled via the registry on the endpoint.
Reboot the endpoint to begin logging when using this method.
-
Create the registry key to enable logging:
-
HKLM\Software\AppSense\Environment Manager\Endpoint Analysis\Log Settings
-
Define a DWORD value: Enabled.
-
-
If logging has not been set within the configuration file, setting this key value to 1 on the endpoint will enable Endpoint Analysis logging.
If logging is set within the configuration file, changing this registry key value to 0 will NOT disable logging.
-
You can create advanced settings as values in the key. To preclude the requirement of logging onto an endpoint, administrators can set the relevant keys via remote registry. Refer to Advanced Settings Registry Key Values below.
-
When enabled via the registry a full machine reboot is required for the logging to become active.
Endpoint Analysis Settings
When logging is enabled, the Endpoint Analysis Settings dialog is displayed in the console:
The dialog allows you to configure analysis logging on an endpoint. Complete the settings as required.
When a configuration has Endpoint Analysis enabled and is deployed to an endpoint, an .etl file is generated only when that configuration is first used. If the configuration has the mid-session config changes option set to At logon (usual setting), the .etl folder and file will not appear until the next logon on the endpoint.
On a reboot a new .etl file in a new folder is always created.
|
Section |
Setting |
Description |
|---|---|---|
|
General |
Logging enabled |
Select checkbox to enable logging. Clear checkbox to disable logging. |
|
Storage |
Location |
The preferred location for the logs can be specified. Select the checkbox to use the default location. The default location for logs is the same as for the configuration (C:\Program Data\AppSense\Environment Manager). |
|
Max log folders |
Specifies the maximum number of log folders to save before deleting the oldest folders. Each folder contains a configuration and a single session log file. Folders are deleted after configuration changes or when the core service starts on the endpoint, as in the case of a reboot. |
|
|
|
Max file size (MB) |
Maximum file size for each .etl file (specified in megabytes). Once the maximum file size is reached, the file is overwritten in a continuous cycle. |
|
Keep logs for |
Specifies retention times for log folders. Folders older than the specified time frame are deleted after a configuration change or after the core service on the endpoint starts, as in the case of a reboot. The default retention time is six months. |
|
|
Advanced settings |
Capture process started/stopped condition evaluations |
Determines whether the Endpoint Analysis logs record process started/stopped conditions. This option is selected by default. To filter process started/stopped condition entries out of the log files, clear this checkbox. The logs continue to capture sub-actions and conditions of these process conditions when the checkbox is cleared. |
|
|
Min buffers |
Minimum number of in-memory buffers used by Event Tracing for Windows (ETW). |
|
|
Max buffers |
Maximum number of in-memory buffers used by Event Tracing for Windows (ETW). |
|
Buffer size (KB) |
Size of each in-memory buffer. |
|
|
|
Flush time (s) |
Interval after which in-memory buffers are flushed to disk. Until this interval passes, events are not in the .etl file, and they are not visible to the Endpoint Analysis Tool. |
Advanced Settings Registry Key Values
The Endpoint Analysis Settings dialog enables administrators to configure a range of settings. As an alternative, the settings can also be configured using the registry.
Having created and enabled the key HKLM\Software\AppSense\Environment Manager\Endpoint Analysis\Log Settings additional settings and values can be created as follows:
|
Value Name |
Type |
Dialog Setting Name |
|---|---|---|
|
LogLocation |
REG_SZ |
Location |
|
MaxLogFiles |
DWORD |
Maximum log files |
|
MaxLogFileSize |
DWORD |
Max file size |
|
RetentionTime |
DWORD |
Keep logs for |
|
MinBuffers |
DWORD |
Min. buffers |
|
MaxBuffers |
DWORD |
Max. buffers |
|
BufferSize |
DWORD |
Buffer size |
|
FlushTime |
DWORD |
Flush Time (s) |
In every case, if the registry value does not exist the default value is applied.
In the case of Endpoint Analysis, the size of logs is relatively small and unlikely to be a problem on most endpoints.
Related Topics:
Endpoint Analysis Tool - Load Logs
Endpoint Analysis Tool - User Interface