This article provides information regarding the logging created and updated at 'runtime' by the Sophos Management Communication System (MCS).
Note: For details on the installation log files of MCS see article 119621.
Applies to the following Sophos product(s) and version(s)
UTM Managed Endpoint (Windows 2000+)
The main log files for MCS are:
they are found in the directory:
- Windows XP/2003: 'C:\Documents and Settings\All Users\Application Data\Sophos\Management Communication System\Endpoint\logs\'.
- Windows Vista+: C:\ProgramData\Sophos\Management Communication System\Endpoint\logs\'.
The common characteristics of the log files are as follows:
- The log file rotation is the same (5 x 1MB, e.g. McsClient.log, McsClient.log.1, McsClient.log.2, McsClient.log.3, McsClient.log.4 )
- 'McsClient.log' and 'McsAgent.log' are appended to at service start-up rather than a new log file being created.
- The format of each line is:
- Time stamp (UTC)
- Thread ID
- When starting and by default every hour, the log contains configuration information, such as the version of the component and values of configurable values.
Specific information for each is as follows:
- McsClient.log is created by the service 'Sophos MCS Client" (mcsclient.exe).
- Details the communication with Sophos Cloud or a Sophos UTM and proxy discovery information.
- McsClient.log is created by the service 'Sophos MCS Agent" (mcsagent.exe).
- Details the communication with the managed endpoint software such as Sophos AutoUpdate, Sophos Anti-Virus, MCS.
The logging for MCS on Mac may need to be enabled on the computer. To do so:
- In 'Terminal' run the command:
sudo syslog -c 0 -d
- Open 'Console'
Tip: Can be found under Applications | Utilities.
- Select the 'All Messages' filter in Console and filter by the 'Sender' name: 'Sophos Mcs Agent'.
- Once you have obtained the logs, you can disable debug logging by running the following command in 'Terminal':
sudo syslog -c 0 off