How do I retrieve MetaDefender Endpoint logs?

OPTION 1: Collect the logs directly from the MetaDefender Endpoint device

Automatic Collection

Windows (Persistent MetaDefender Endpoint)

1. Download OPSWAT’s Log Collector tool, Here.
2. Run the downloaded file.
3. The zipped log file, which may be very large, will automatically be placed on your desktop, to be forwarded to the OPSWAT team.

macOS (Persistent MetaDefender Endpoint)

1. Download OPSWAT’s Log Collector tool, Here.
2. Run the downloaded file.
3. The zipped log file, which may be very large, will automatically be placed on your desktop, to be forwarded to the OPSWAT team.

Manual Collection

Windows (Persistent MetaDefender Endpoint)

1. Go to the relevant location/s below to collect the required log/s:

• Client logs:

  • Type %ProgramData% into the path bar and hit Enter.
  • Then add \OPSWAT\Gears\logs\ to complete the path.

• Crash dumps:

  • Type %ProgramData% into the path bar and hit Enter.
  • Then add \OPSWAT\Gears\logs\reports to complete the path.

• SDK logs:

  • Type %ProgramData% into the path bar and hit Enter.
  • Then add \OPSWAT\Gears\sdk to complete the path.

• OPG (verification file) logs:

  • Type %HOMEPATH% into the path bar and hit Enter.
  • Then add _ _\Appdata\Local\OPSWAT\Gears\Logs to complete the path.

2. Copy the required log/s, to be compressed (if necessary) and forwarded to the OPSWAT team.

Windows (On-Demand MetaDefender Endpoint)

1. Go to the relevant location/s below to collect the required log/s:

• Client logs:

  • Go to the folder where the MetaDefender Endpoint executable file is stored.
  • Then locate the file named gears-ondemand.log

• Crash dumps:

  • Type %HOMEPATH% into the path bar and hit Enter.
  • Then add \AppData\Local\CrashDump to complete the path.

If On-demand MetaDefender Endpoint is triggered by third-party vendors, go to the relevant location/s below to collect the required log/s:

• Pulse Secure Host Checker:

  • Type %AppData% into the path bar and hit Enter.
  • Then add \Pulse Secure\Host Checker\policy_XXX to complete the path. (so, for example: C:\Users\bob\AppData\Roaming\Pulse Secure\Host Checker\policy_1)

• VMWare Horizon Client:

  • Depending on which Horizon Client version you run, both the On-Demand MetaDefender Endpoint executable file and the log file can be found in one of the locations below:
    • C:\Users<username>\AppData\Local\VMware Horizon View Client\Code Cache<uuid>\
    • C:\Program Files (x86)\VMWare\VMware Horizon View Client\Code Cache<uuid>\

2. Copy the required log/s, to be compressed (if necessary) and forwarded to the OPSWAT team.

macOS (Persistent MetaDefender Endpoint)

1. Open Finder and go to /Library/Logs/Gears/logs, as illustrated in the screenshot below.

2. Copy the required log/s, to be compressed (if necessary) and forwarded to the OPSWAT team.

macOS (On-Demand MetaDefender Endpoint)

1. Go to the relevant location/s below to collect the required log/s:

• Client logs:

  • For MetaDefender Endpoint version 10.5.218.0 or earlier, go to /Desktop/gears-ondemand.log
  • For MetaDefender Endpoint version 10.5.222.0 or later, go to /Users/{username}/Library/Logs/Gears/logs

• Crash dumps:

  • Open Finder and go to /Library/Logs/DiagnosticReports

When running the macOS On-Demand MetaDefender Endpoint as Root, go to the location/s below to collect the required log/s:

• MetaDefender Endpoint logs:

  • Go to /var/root/Desktop/gears-ondemand.log

• Additional malware logs:

  • Go to /Library/Logs/Gears/logs/Metascan-Client-V2.log

2. Copy the required log/s, to be compressed (if necessary) and forwarded to the OPSWAT team.

Linux V4 (Version 15.x.y.z)

1. Go to the location below to collect the required log:

• Client logs:
  • Go to /var/log/opswatclient

2. Copy the required log, to be compressed (if necessary) and forwarded to the OPSWAT team.

Linux V3 (Version 14.0.x.y)

1. Go to the relevant location/s below to collect the required log/s:

• Client logs:

  • Go to /var/log/gears/log

• Error logs:

  • Go to /var/log/gears.err

• Configuration logs:

  • Go to /etc/gears/gears.json

2. Copy the required log/s, to be compressed (if necessary) and forwarded to the OPSWAT team.

Android/iOS

On mobile devices, logs are only stored in the memory, but can be emailed directly from the OPSWAT Mobile App by selecting the Submit Feedback option.

OPTION 2: Retrieve the logs remotely via the MetaDefender IT-OT Access Console

As MetaDefender IT-OT Access account administrator, follow the steps below:

1. Log into the MetaDefender IT-OT Access Console and navigate to Inventory>Devices.
2. Use the Search field to locate the relevant MetaDefender Endpoint device.
3. Click on the chosen device, then access the Select Action drop-down menu in the top right-hand corner of the screen, directly under your username.
4. Select the Fetch log option, as illustrated in the screenshot below.

5. To view the log you fetched: Go to Inventory>Devices>Relevant Device>Events>Device Logs, as illustrated below.