Help Center
News
Help Center
News
Popular
Architecture and High-level Information
Scans
Agents
How to Use Dashboards
How to Use Data Asset Inventory
How to Install\Uninstall and Set Up Spirion Sensitive Data Platform
How to Use Logs
How to View Endpoint LogsHow to Use Audit LogsHow to Use Agent LogsWhere to Find PostgreSQL LogsAdvanced Log and Log Location Information for Power UsersGuide to Analyzing Logs and Generating Graphs in Time Intervals
How to Manage Users and Roles
Settings and Resources
Additional Resources
Reports
Reporting API
Customer Support Articles

Advanced Log and Log Location Information for Power Users

The information in this article is aimed at users who are comfortable with the Windows registry, PowerShell and Mac/Linux commands. The information in this article can be used to check Agent versions, enable logging, monitor logs, restart EPS logging, and execute searches via CLI.

Windows

How to Enable Logging on a Windows Endpoint (Agent)

Use the following steps to enable loggign on an Windows Endpoint:

  1. Open the Windows Run menu (Windows key+R).
  2. Enter "RegEdit" and click the OK button.
  3. Navigate to the following path: 
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Identity Finder\Endpoint Services
  4. In the right side pane right-click in space and from the sub-menu that appears perform the following steps:
    1. Select New > DWORD (32 bit) Value

    2. In the field Value name enter "LogLevel."
    3. Click the OK button.
    4. Next, right-click on the LogLevel entry you just created and select Modify.
    5. Enter "4" in the field Value data and click the OK button. Values for all levels of logging are as follows:
      • Informational messages, set the value to 1.
      • Debugging messages, set the value to 2.
      • Detailed trace messages, set the value to 3.
      • All messages, set the value to 4.

Windows Endpoint (Agent) Log Locations

The following is a list of important log and license file locations on Microsoft Windows machines:

  • Endpoint Service Log (EPS log):
    • C:\ProgramData\Identity Finder\Logs\EPS
    • Example Windows EPS log directory shown below

      Example Windows EPS log directory
  • Watcher Log (EWS log)
    • C:\ProgramData\Identity Finder\Logs\EWS
  • File Classification Infrastructure Log (FCI* log) - Log for Spirion Shell extension/classification plugin/db
    • C:\ProgramData\Identity Finder\Logs\FCI
  • Spirion Sensitive Data Platform v13.6+ only - Shipper Logs (IFMS log)
    • C:\ProgramData\Identity Finder\Logs\IFMS
  • Catch All Agent Logs (LocalExtLogs)
    • C:\ProgramData\Identity Finder\Logs\LocalExtLogs
  • Svc Monitoring Logs (SMS logs)
    • C:\ProgramData\Identity Finder\Logs\SMS
  • Client Log (Locally Logged-in User (Interactive)):
    • C:\ProgramData\Identity Finder\Logs\SystemSearch
  • Client Logs (Local System Account):
    • C:\Users\<JohnSmith>\AppData\Local\Identity Finder\logs

  • License File Location:
    • C:\Program Files (x86)\Spirion

  • PostgreSQL Logs:
    • C:\ProgramData\Identity Finder\Postgres\Data\pg_log

* File Classification Infrastructure (FCI): This is a feature in Microsoft Windows Server that enables administrators to classify and manage data based on its content. It is often used in conjunction with data management policies to automate tasks like data archiving, retention, and access control 

How to Monitor Logs using Windows PowerShell

Use the following steps to monitor logs using Windows PowerShell commands:

  1. Click the Windows Start menu.
  2. Open the Windows PowerShell
  3. Navigate to the log directory using the following command:
    1. cd C:\ProgramData\Identity Finder\Logs\EPS
  5. Next, run the following command:
    1. Get-Content <log file> -Tail 1000 -Wait
    2. 1000 equals the number of lines in the log to display

MacOS

MacOS Log File Locations

The following is a list of important log and license file locations on MacOS machines:

  • Endpoint Services Log (EPS):
    • /Users/Shared/.identityfinder/Application/{04964656e-7469-7479-2046-696e6465720}/Logs/EPS
  • Client Log (Locally Logged-in User (Interactive)):
    • /Users/spirionuser/Library/Application Support/Identity Finder/Identity Finder Mac Edition/logs
  • Client Log (Local System Account):
    • /Users/Shared/.identityfinder/Application/{04964656e-7469-7479-2046-696e6465720}/Logs/SystemSearch
  • MAC Configuration file* (com.identityfinder.macedition.xml):
    • /Library/Preferences
  • License file - identityfinder.lic:
    • User/Library/ApplicationSupport/Prefrences/IdentityFinder

*This file is located on MAC Agents and instructs the Agent how to communicate with the Spirion Console

How to Check the Endpoint (Agent) Version

Procedure:

  1. Open a terminal from your endpoint (Agent).
  2. As the terminal session does not have the locale set, enter the commandLANG=C in the terminal
  3. Change the directory to "MacOS" with the following command:
    1. cd /Applications/Spirion.app/Contents/MacOS/
  5. Run the following command to retrieve the version:
    1. IdentityFinderCmd --version
  7. Change the directory to "Finder" with the following command:
    1. cd /Library/Application\ Support/Identity\ Finder
  9. Change the EndpointID with the following command:
    1. cd /var/lib/.identityfinder/Application/{04964656e-7469-7479-2046-696e6465720}
  11. Delete the EPS settings XML file: epssettings.xml
  12. Check the endpoint (Agent) versions using the following commands:
    1. ./EndpointService --version 
    2. ./EndpointWatcher --version 
    3. ./UserAgent --version

How to Restart Mac EPS Logging

Use the following command to restart EPS logging in macOS.

  1. On the macOS endpoint to restart EPS logging, run the following commands from a Terminal:
sudo launchctl unload /Library/LaunchDaemons/com.identityfinder.launchdaemon.plist && sudo launchctl load /Library/LaunchDaemons/com.identityfinder.launchdaemon.plist

Linux

Linux Log File Locations

The following is a list of important log and license file locations on Linux machines:

  • EPS log -  /var/lib/.identityfinder/Application/{04964656e-7469-7479-2046-696e6465720}/Logs/EPS
  • EPS svcscript - /etc/init.d
  • EWS svcscriptews - /etc/init.d
  • Client Logs - /var/lib/.identityfinder/Application/{04964656e-7469-7479-2046-696e6465720}/Logs
  • Logs - /var/lib/.identityfinder/Application/{04964656e-7469-7479-2046-696e6465720}/Logs/SystemSearch
  • identityfindersettings.xml - /var/lib/identityfinder/
  • License File - /usr/local/bin/spirion/
  • identitydb.dat - /usr/local/bin/spirion
  • iaCrawl - /usr/local/bin/spirion
  • utils - /usr/local/bin/spirion

How to Check the Endpoint Version

Use the following steps to check the endpoint version of an Agent:

  1. Run the following commands:
    1. cd /usr/local/bin/spirion/bin7/
    2. ./IdentityFinderCmd --version

How to Execute a Search via Command Line Interface (CLI)

  1. identityfindercmd location: /usr/local/bin/spirion
  2. Execute search
    1. ./IdentityFinderCmd --searchfile="/home/scottcalo/Documents/testFiles/AccessedDate"

The following parameters are available for command line or script usage. 

Parameter (command line or script)

Description

--help

Show this help message.

--jobmode

Automatically start a search using the Jobmode configuration.

--fcwmode

Automatically start a search using the Jobmode configuration.

--jobmode

Automatically start a search using the Jobmode configuration.

--fcwmode

Automatically start a search using the Jobmode configuration.

--dwmode

Automatically start a search using the Jobmode configuration.

--dwprompt arg          

--configurationfile="/folder/configfile.xml"

Use the settings specified in the configuration file.

Requires the full path to the configuration (.xml) file.

--configurationfile arg

--configurationfile="/folder/configfile.xml"

Use the settings specified in the configuration file.

Requires the full path to the configuration (.xml) file.

--profilepassword arg   

--profilepassword="myProfilepass"

Supply the password to your profile.

--filelist arg          

--filelist="/folder/filelist.txt"

Automatically start a search of each file listed in filelist.txt.

Requires the full path to a plain text file that contains one filename or folder per line with no additional header or footer information.

--searchfile arg        

--searchfile="/folder/file.ext"

Automatically start a search of the specified file or folder.

Requires the full path to an individual file or folder to search.

--addtovault arg

Causes Spirion to create a new encrypted file vault file named originalfilename.ext.idfvault with the specified file inside, and then shred the original file. The  encryption used for the file vault is High Spirion encryption (AES-256 bit).

--extractfromvault arg

Causes Spirion to extract the original file from inside the specified Spirion file vault and then deletes the vault file.

--passwordvault arg

password vault temp

--shredlocation arg     

--shredlocation="folder/file.ext"

Shred the specified file or folder.

How to Run Gather Data on Linux

Use the following steps to perform the Gather Data function on Linux machines:

  1. Open a shell prompt on the machine running the client software
  2. Execute the following command to create the Gather Data output zip in the directory specified by the gatherdatapath argument,
    1. For example:
      1. /tmp:
        /usr/local/bin/spirion/IdentityFinderCmd --gatherdata --gatherdatapath="/tmp/Gatherdata/"
  4. Navigate to the directory specified in the gatherdatapath argument.
    1. For example: /tmp
  6. In that directory is a file named "IDFLinuxClientData_<date>_<time>.zip"
    1. Example: IDFLinuxClientData_2013-06-04_14-37-50.zip


Was this article helpful?

Powered by Product Fruits