Create a diagnostic package

To diagnose an issue, your support provider may ask you to send a diagnostic package containing debug information for Deep Security Manager, Deep Security Agent, or both.

Deep Security Manager diagnostics

The Deep Security Manager (DSM) diagnostics are provided through a diagnostic package, which may include logs, system information, and Java Flight Recorder (JFR) recording.

Enable debug logs for Deep Security Manager

In addition to a diagnostic package, your support provider may ask you to enable diagnostic logging.

1. Go to Administration > System Information.
2. Click Diagnostic Logging.

3. In the dialog that appears, select the options requested by your support provider.

   If you have a multi-tenant Deep Security Manager, and the issue that you want to diagnose only occurs with a specific tenant, select that tenant's name in the option that appears. This focuses the debug logs and minimizes performance impacts while debug logging is enabled.

   Some functional areas need more time and disk space to collect enough debug logs. For example, you might need to increase Maximum log file size to 25 MB and the time period to 24 hours for Database-related Issues and Cloud Account Synchronization - AWS.

   If you decrease Maximum number of log files, Deep Security Manager does not automatically delete existing log files that now exceed the maximum. For example, if you reduce from 10 to 5 log files, server5.log to server9.log would all still exist. To reclaim disk space, manually delete those files from the file system.

   While diagnostic logging is running, Deep Security Manager displays the message Diagnostic Logging enabled on the status bar. If you changed the default options, the status bar displays the message Non default logging enabled upon diagnostic logging completion.

4. To find diagnostic logging files, go to the root directory of the Deep Security Manager and look for file names with the pattern server#.log, such as server0.log.

Do not enable diagnostic logging unless recommended by your support provider. Diagnostic logging can consume large amounts of disk space and increase CPU usage.

Enable Java Flight Recorder for Deep Security Manager

Java Flight Recorder (JFR) collects information related to the Java Virtual Machine (JVM) internal events. JFR can be used for monitoring and troubleshooting DSM issues. You should enable JFR only when requested by your support provider.

1. Go to Administration > System Information.
2. Click Diagnostic Logging.
3. In the dialog that appears, select Enable Java Flight Recorder and then select the amount of time after which the recording terminates.
4. Optionally, use Maximum recording file size to select the upper limit (in megabytes) for the recording file. If the recording data exceeds the allowed size, JFR discards older data.
5. Click Save to start recording.

The recording data is saved in a file called dsm.jfr located in the DSM installation directory. When the recording is in progress, the dsm.jfr file size is 0 MB. Data is only added to the file after the recording is finished. By default, the dsm.jfr file is included in the DSM diagnostic package and kept for 7 days. After that the file is removed.

Create a diagnostic package for Deep Security Manager

1. Go to Administration > System Information.

2. Click Create Diagnostic Package.

   The package takes several minutes to create. After the package has been generated, a summary is displayed and your browser downloads a ZIP file containing diagnostic information.

Deep Security Agent diagnostics

For an agent, you can create a diagnostic package in one of the following ways:

• Via the Deep Security Manager
• Using the CLI on a protected computer (if the Deep Security Manager cannot reach the agent remotely)

For Linux-specific information on increasing or decreasing the anti-malware debug logging for the diagnostic package, see Increase debug logging for anti-malware in protected Linux instances.

Your support provider may also ask you collect the following:

• A screenshot of Task Manager (Windows) or output from top(Linux) or prstat (Solaris) or topas (AIX)
• Debug logs
• Perfmon log (Windows) or Syslog
• Memory dumps (Windows) or core dumps (Linux, Solaris, AIX)

Create an agent diagnostic package via Deep Security Manager

Deep Security Manager must be able to connect to an agent remotely to create a diagnostic package for it. If Deep Security Manager cannot reach the agent remotely, or if the agent is using agent-initiated activation, you must create the diagnostic package directly from the agent.

You can create a diagnostic package using a Deep Security Manager as follows:

1. Go to Computers.
2. Double-click the name of the computer for which you want to generate the diagnostic package.
3. Select the Actions tab.
4. Under Support, click Create Diagnostics Package.

5. Click Next.

   The package takes several minutes to create. When finished, a summary is displayed and your browser downloads a ZIP file containing diagnostic information.

Note that if System Information is enabled, it might create an extremely large diagnostic package that could have a negative impact on performance. The System Information option is grayed out if you are not a primary tenant or do not have the required rights.

Create an agent diagnostic package via CLI on a protected computer

On Linux, AIX, or Solaris:

1. Connect to the server for which you want to generate the diagnostic package.
2. Enter the following command:

   sudo /opt/ds_agent/dsa_control -d

   The output shows the name and location of the diagnostic package: /var/opt/ds_agent/diag

On Windows:

1. Connect to the computer for which you want to generate the diagnostic package.

2. Open a command prompt as an administrator and enter the command.

   In PowerShell:

   & "\Program Files\Trend Micro\Deep Security Agent\dsa_control" -d

   In cmd.exe:

   cd C:\Program Files\Trend Micro\Deep Security Agent

   dsa_control.cmd -d

   The output shows the name and location of the diagnostic package: C:\ProgramData\Trend Micro\Deep Security Agent\diag

Collect debug logs with DebugView

On Windows computers, you can collect debug logs using DebugView software.

Only collect debug logs if your support provider asks for them. During debug logging, CPU usage increases, making the high CPU usage issues worse.

1. Download the DebugView utility.
2. If self-protection is enabled, disable it.
3. Stop the Trend Micro Deep Security Agent service.
4. In the C:\Windows directory, create a plain text file named ds_agent.ini.

5. In the ds_agent.ini file, add the following line:

   trace=*

6. Launch DebugView.exe.
7. Go to Menu > Capture.

8. Enable these settings:

   • Capture Win32
   • Capture Kernel
   • Capture Events
9. Start the Trend Micro Deep Security Agent service.
10. Export the information in DebugView to a CSV file.
11. Re-enable self-protection if you disabled it at the beginning of this procedure.