Configuring logs

This page describes how to enable, disable, and configure the logs of the various BigFix components and the audit log files.

For the default paths of the BigFix log files, see Logging paths.

If a log configuration setting is stored as a BigFix Client setting, it is also documented in the List of settings and detailed descriptions.

Root Server log

This log is written by the BESRootServer service and its default name is BESRelay.log. The BESRootServer service is in charge of network communication and directly interacts with other BigFix components. It takes input from the BigFix Console. It downloads BigFix content sites so that the GatherDB service can process them. It downloads files that are mentioned as prefetch items in Fixlets and Tasks. It sends content updates to BigFix Clients and issues management actions to them. It receives reports from BigFix Clients, allowing the FillDB service to process them. It communicates with top-level BigFix Relays. It answers queries from the BigFix Explorer, etc. The Root Server log can help troubleshoot issues relative to: BESRootServer database connection, file downloads, network interactions with other BigFix components, TLS certificates, etc.

The settings to configure this log are stored as BigFix Client settings.

On Windows, each client setting is a registry key that is a child of HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BigFix\EnterpriseClient\Settings\Client, is named exactly like the setting, and contains a registry value named value of type REG_SZ, which stores the setting value.

On Linux, client settings affecting the BigFix Server may be stored in the configuration file /var/opt/BESServer/besserver.config, or in the BigFix Client configuration file /var/opt/BESServer/besclient.config, which takes precedence. Each client setting is represented by a section whose name starts with SOFTWARE\BigFix\EnterpriseClient\Settings\Client\ and ends with the setting name. That section contains a line with the text value= followed by the setting value.

  • value (REG_SZ) of _BESRelay_HTTPServer_LogFilePath, the full file path of the log
  • value (REG_SZ) of _BESRelay_HTTPServer_LogFileSizeLimit, the maximum log file size in bytes before rotation occurs, defaults to 52428800 (50 MB)
  • value (REG_SZ) of _BESRelay_HTTPServer_LogFileRotationLimit, the maximum number of files used for log rotation, defaults to 10
  • value (REG_SZ) of _BESRelay_Log_Verbose, 0 to disable verbose logging, 1 to enable it, defaults to 0

Root Server and Relay HTTP logs

The BigFix Server and BigFix Relay components can record all HTTP(S) requests on a dedicated log. If this functionality is enabled, each day a new log file named like YYYYMMDD.log will be created to record all HTTP(S) requests that will be received that day. Logging this information can consume a large amount of space and may severely affect performances, so it is should only be done for troubleshooting purposes.

The settings to configure these logs are stored as BigFix Client settings.

  • value (REG_SZ) of _BESRelay_HTTPServer_HttpLogDirectoryPath, the path of the folder containing the log file, defaults to empty
  • value (REG_SZ) of _BESRelay_HTTPServer_HttpLogExpirationDays, the number of days that a log should be kept for, defaults to 0

No logging occurs if _BESRelay_HTTPServer_HttpLogDirectoryPath is empty or missing. On a fresh installation, that setting is created empty, so HTTP logs are disabled by default.

Root Server and Relay minidumps

On Windows, in addition to the above logs, you can enable the creation of minidumps in case an unexpected exception occurs in the BES Root Server and BESRelay services.

The setting to control this functionality is stored as a BigFix Client setting.

  • value (REG_SZ) of _BESRelay_HTTPServer_WriteMiniDumps, 0 to disable the writing of minidumps, 1 to enable it, defaults to 0

FillDB log

This log is written by the FillDB service (BESFillDB on Linux) and its default name is FillDB.log. The FillDB service processes the BigFix Client reports received by the BESRootServer service. FillDB elaborates that data and updates the main database to reflect the current properties of managed devices, applicability of BigFix content, progress of management actions, and more. The FillDB service also performs the replication of content from other BigFix Server installations, if a DSA is configured. The FillDB log can help troubleshoot issues relative to: FillDB database connection, report processing, and DSA replication.

On Windows, the settings to configure this log are stored in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BigFix\Enterprise Server\FillDB and each setting is represented by a registry value.

On Linux, the same settings are stored in the configuration file /var/opt/BESServer/besserver.config, in the section [SOFTWARE\BigFix\Enterprise Server\FillDB] and each setting is represented by a simple key-value pair.

  • DebugOut (REG_SZ), the full file path of the log, defaults to empty
  • EnableLogging (DWORD), 0 to disable the log, 1 to enable it, defaults to 1
  • EnabledLogs (REG_SZ), the types of information to log, either "all" or a subset of "database;critical;debug;replication", defaults to "critical"
  • LogFileSizeLimit (DWORD), the maximum log file size in bytes before rotation occurs, defaults to 104857600 (100 MB)

No logging occurs if DebugOut is empty or missing.

The maximum number of rotating files used for this log is 10 and it is not configurable.

FillDB Performance log

This log provides provides a stream of performance measurements regarding FillDB operations, mainly regarding the amount of processed reports and the time it took to update the database with the information it received.

On Windows, the settings to configure this log are stored in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BigFix\Enterprise Server\FillDB and each setting is represented by a registry value.

On Linux, the same settings are stored in the configuration file /var/opt/BESServer/besserver.config, in the section [SOFTWARE\BigFix\Enterprise Server\FillDB] and each setting is represented by a simple key-value pair.

  • EnablePerformanceLogging (DWORD), 0 to disable the log, 1 to enable it, defaults to 1
  • PerformanceDataPath (REG_SZ), the full file path of the log, defaults to empty
  • PerfLogFileSizeLimit (DWORD), the maximum log file size in bytes before rotation occurs, defaults to 104857600 (100 MB)

No logging occurs if PerformanceDataPath is empty or missing. On a fresh installation, that setting is created empty, so the FillDB performance log is disabled by default.

The PerfLogFileSizeLimit affects all FillDB performance logs.

The maximum number of rotating files used for this log is 10 and it is not configurable.

FillDB Query Performance log

This log provides provides a stream of measurements regarding the operations that FillDB performs to execute a BigFix Query, including its interactions with the BES Root Server.

On Windows, the settings to configure this log are stored in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BigFix\Enterprise Server\FillDB and each setting is represented by a registry value.

On Linux, the same settings are stored in the configuration file /var/opt/BESServer/besserver.config, in the section [SOFTWARE\BigFix\Enterprise Server\FillDB] and each setting is represented by a simple key-value pair.

  • EnableQueryPerformanceLogging (DWORD), 0 to disable the log, 1 to enable it, defaults to 1
  • PerfLogFileSizeLimit (DWORD), the maximum log file size in bytes before rotation occurs, defaults to 104857600 (100 MB)
  • QueryPerformanceDataPath (REG_SZ), the full file path of the log, defaults to empty

No logging occurs if QueryPerformanceDataPath is empty or missing. On a fresh installation, that setting is created empty, so the FillDB Query performance log is disabled by default.

The PerfLogFileSizeLimit affects all FillDB performance logs.

The maximum number of rotating files used for this log is 10 and it is not configurable.

GatherDB log

This log is written by the GatherDB service (BESGatherDB on Linux) and its default name is GatherDB.log. The GatherDB service processes the BigFix content site data (Fixlets, etc.) downloaded by the BESRootServer service and imports it into the main database. The GatherDB log can help troubleshoot issues relative to: GatherDB database connection and BigFix site import.

On Windows, the settings to configure this log are stored in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BigFix\Enterprise Server\GatherDB and each setting is represented by a registry value.

On Linux, the same settings are stored in the configuration file /var/opt/BESServer/besserver.config, in the section [SOFTWARE\BigFix\Enterprise Server\GatherDB] and each setting is represented by a simple key-value pair.

  • DebugOut (REG_SZ), the full file path of the log, defaults to empty
  • VerboseDebugOut (DWORD), 0 to disable verbose logging, 1 to enable it, defaults to 0

No logging occurs if DebugOut is empty or missing.

There is no setting for enabling log rotation.

Server audit log

This log contains the audit events recorded by the BigFix Server and its name is always server_audit.log.

The BigFix Server audit log file contains information about:
  • logins and logouts via BigFix Console, REST API, Web Reports, WebUI, etc
  • activities performed by the BigFix operators
  • actions sent to the BigFix clients and their cancellations

The settings to configure this log are stored as BigFix Client settings.

  • value (REG_SZ) of _Audit_Logging_LogMaxSize, the maximum log file size in bytes before rotation occurs, defaults to 104857600 (100 MB)
  • value (REG_SZ) of _BESRootServer_Audit_Verbosity, whether SSL connections are logged, either "all" or empty, defaults to empty
  • value (REG_SZ) of _BESServerAudit_Logging_LogDirectoryPath, the path of the folder containing the log file, introduced in Version 11.0.4, default depends on OS

When the size limit is reached, the log file is renamed following the pattern server_audit.YYYYMMDDHHMM.log.

Important: The renamed log files are never deleted. To free space, you must manually delete old log files.

BESAdmin log

This log is written by the BigFix Administration Tool (BESAdmin) and its default name is BESAdminDebugOut.txt. The BigFix Server installer ships with BESAdmin and uses it to perform preinstall and pre-upgrade checks. During a fresh installation or an upgrade, the installer deploys BESAdmin and uses it to conduct several configuration or upgrade operations. BESAdmin is the tool to enact configuration, maintenance, and management tasks on a BigFix Server and its database. Moreover, BESAdmin can manage certificates for the BigFix Explorer and WebUI. The BESAdmin log can help troubleshoot issues relative to: installation, upgrade, database maintenance, certificate rotation, etc.

On Windows, the settings to configure this log are stored in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BigFix\EnterpriseServer\BESAdmin and each setting is represented by a registry value.

On Linux, the same settings are stored in the configuration file /var/opt/BESServer/besserver.config, in the section [SOFTWARE\BigFix\Enterprise Server\BESAdmin] and each setting is represented by a simple key-value pair.

  • DebugOut (REG_SZ), the full file path of the log, default depends on OS
  • EnableLogging (DWORD), 0 to disable the log, 1 to enable it, defaults to 1
  • EnabledLogs (REG_SZ), the types of information to log, a subset of "critical;debug;database;performance", defaults to "critical;debug;database"
  • LogFileSizeLimit (DWORD), the maximum log file size in bytes before rotation occurs, defaults to 10485760 (10 MB)

BESAdmin audit log

This log contains the audit events recorded by the BigFix Administration Tool (BESAdmin) and its name is always besadmin_audit.log.

The settings to configure this log are stored as BigFix Client settings.

  • value (REG_SZ) of _BESAdminAudit_Logging_LogDirectoryPath, the path of the folder containing the log file, default depends on OS and user that ran the program
  • value (REG_SZ) of _BESAdminAudit_Logging_LogMaxSize, the maximum log file size in bytes before rotation occurs, defaults to 104857600 (100 MB)

When the size limit is reached, the log file is renamed following the pattern besadmin_audit.YYYYMMDDHHMM.log.

Important: The renamed log files are never deleted. To free space, you must manually delete old log files.

Important: On Windows, when the audit log files for the BigFix Administration Tool are generated in their default location, these files cannot be deleted from the Audit Cleaner Removes old audit log files function when the BigFix Administration Tool is scheduled or is launched with a Windows user different from the one with which the audit log files have been generated.

BESTools log

This log records the execution of BigFix Server maintenance tools andits default name is BESTools.log. In the past, BES Tools was a set of programs used to perform clean up operations on the BigFix Server and its database. Those tools, like the BES Computer Remover, are now part of the BigFix Administration Tool (BESAdmin). The same log is used regardless of whether those tools are run directly via the BESAdmin interface or as scheduled activities.

The settings to configure this log are stored as BigFix Client settings.

  • value (REG_SZ) of _BESTools_Logging_LogMaxSize, the maximum log file size in bytes before rotation occurs, defaults to 5242880 (5 MB)
  • value (REG_SZ) of _BESTools_Logging_LogPath, the full file path of the log, default depends on OS

Console log

This log is written by the BigFix Console.

On Windows, the settings to configure this log are stored in the registry key HKEY_CURRENT_USER\Software\BigFix\Enterprise Console and each setting is represented by a registry value.

  • DebugOut (REG_SZ), the full file path of the log, defaults to empty
  • EnableLogging (DWORD), 0 to disable the log, 1 to enable it, defaults to 1
  • EnabledLogs (REG_SZ), the types of information to log, either "all" or a subset of "critical;debug;performance;timing", defaults to "critical;debug"

No logging occurs if DebugOut is empty or missing. On a fresh installation, that setting is created empty, so the Console log is disabled by default.

Fixlet Debugger log

This log is written by the Fixlet Debugger.

On Windows, the settings to configure this log are stored in the registry key HKEY_CURRENT_USER\Software\BigFix\FixletDebugger and each setting is represented by a registry value.

  • DebugOut (REG_SZ), the full file path of the log, defaults to empty
  • EnableLogging (DWORD), 0 to disable the log, 1 to enable it, defaults to 1
  • EnabledLogs (REG_SZ), the types of information to log, either "all" or a subset of "critical;debug", defaults to "debug"

No logging occurs if DebugOut is empty or missing. On a fresh installation, that setting is created empty, so the Fixlet Debugger log is disabled by default.

Relay log

This log is written by the BESRelay service and its default name depends on the OS. The BigFix Relay acts as a middleman between the BigFix Server and a group of BigFix Clients, creating a hierarchical network structure and taking on part of the Server workload. Multiple BigFix Relays may be chained to create a deeper hierarchy. The BESRelay service forwards BigFix content and administrative commands from the Server to the Clients, and forwards Client reports back to the Server. It can distribute a single file to multiple Clients. The Relay log can help troubleshoot issues relative to: file distribution, network traffic forwarding, TLS certificates, etc.

The settings to configure this log are stored as BigFix Client settings.

They are the same settings used to configure the Root Server log.

Web Reports server log

This log is written by the BESWebReportsServer service. Web Reports can aggregate, filter, and elaborate data from one or more BigFix Servers. It provides dashboards for real-time monitoring and the ability to generate reports about the whole BigFix deployment and the devices in it. Web Reports users can access its UI and design custom reports to show the data they want. The Web Reports log can help troubleshoot issues relative to: Web Reports database connection, communication with BigFix Servers, data aggregation, and report creation.

On Windows, the settings to configure this log are stored in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BigFix\EnterpriseServer\BESReports and each setting is represented by a registry value.

On Linux, the same settings are stored in the configuration file /var/opt/BESServer/beswebreports.config, in the section [SOFTWARE\BigFix\Enterprise Server\BESReports] and each setting is represented by a simple key-value pair.

  • Debug (REG_SZ), 0 to exclude details about errors occurring in the Web Reports UI, 1 to print them, defaults to 0
  • EnabledLogs (REG_SZ), the types of information to log, either "all" or a subset of "database;critical;debug;memory;performance;timing;store_usage", defaults to "critical;debug;memory;store_usage"
  • LogFileSizeLimit (DWORD), the maximum log file size in bytes before rotation occurs, defaults to nothing (unlimited)
  • LogOn (DWORD), 0 to disable the log, 1 to enable it, defaults to 1
  • LogPath (REG_SZ), the full file path of the log, defaults to empty

No logging occurs if LogPath is empty or missing. On a fresh installation of Version 11.0.5 or earlier, that setting is created empty, so the Web Reports log is disabled by default.

The maximum number of rotating files used for this log is 10 and it is not configurable.

BigFix Explorer log

This log is written by the BESExplorer service and its default name is BESExplorer.log.

The settings to configure this log are stored as BigFix Client settings.

  • value (REG_SZ) of _BESExplorer_Logging_EnableLogging, 0 to disable the log, 1 to enable it, defaults to 1
  • value (REG_SZ) of _BESExplorer_Logging_EnabledLogs, the types of information to log, a subset of "critical;debug;database;performance", defaults to "critical"
  • value (REG_SZ) of _BESExplorer_Logging_LogMaxSize, the maximum log file size in bytes before rotation occurs, defaults to 5242880 (5 MB)
  • value (REG_SZ) of _BESExplorer_Logging_LogPath, the full file path of the log

Plugin Portal log

This log is written by the BESPluginPortal service and its default name is BESPluginPortal.log.

The settings to configure this log are stored as BigFix Client settings.

  • value (REG_SZ) of _BESPluginPortal_HTTPServer_LogFilePath, the full file path of the log, defaults to empty
  • value (REG_SZ) of _BESPluginPortal_HTTPServer_LogFileRotationLimit, the maximum number of files used for log rotation, defaults to 10
  • value (REG_SZ) of _BESPluginPortal_HTTPServer_LogFileSizeLimit, the maximum log file size in bytes before rotation occurs, defaults to 52428800 (50 MB)
  • value (REG_SZ) of _BESPluginPortal_Log_EnabledLogs, the types of information to log, either "all" or a subset of "critical;debug;events;timing", defaults to "all"
  • value (REG_SZ) of _BESPluginPortal_Log_Verbose, 0 to disable verbose logging, 1 to enable it, defaults to 0

For more information, see BigFix MCM Logging.

Client log

The BigFix Client can keep several logs.

The settings to configure them are stored as BigFix Client settings.

For more information, see Data Collection: BigFix Client.

Format of the audit log messages

Audit entries are presented in a single line and contain the same number of field delimiters. Field delimiters are present even if no value exists for a specific field. Since the format of the audit fields is subject to change over time, each line has a version number as the first entry.

The audit log messages are in the following format:

<format-version>|<timestamp>|<message-priority>|<username>|<event-source>|<event-label>|<event-type>|<ip-address>|<message>
| is the field separator.
  • format-version: The version of the message format. For example, 1.
  • timestamp: The timestamp of the log message, which can be the server timezone or UTC.
  • message-priority: The priority of the log. Possible values are:
    • EMERG (emergency, system non-functioning or unusable)
    • ERROR (error condition)
    • WARN (warning)
    • INFO (informational message)
  • username: The username of the event initiator. In case it is not a user event, then the field is set to SYSTEM.
  • event-source: The source from which the event originates.

    Possible values are: CONSOLE, RESTAPI, WEBUI, WEBREPORTS, PLUGINPORTAL, ADMINTOOL, EXPLORER.

  • event-label: The event or the artifact that is affected.

    Possible values are: USER, SITE, ACTION, ROLE, COMPUTER, AUTHZ, SETTING, DATABASE, FIXLET, TASK, ANALYSIS, BASELINE, COMPUTERGROUP.

  • event-type: The type of the event.

    Possible values are: CREATE, DELETE, UPDATE, LOGIN, LOGOUT, SEARCH.

  • ip-address: The IP address of the component which initiated the event request. For SYSTEM, this is the server IP address.
  • message: The actual log message.
Starting with BigFix version 9.5.11, the server audit logs include also the following items:
  • Messages for deletion of computers from the console or through API.
  • Messages for deletion of actions.

Audit log examples

Following are a few examples of the log messages in the new format:
1|Tue, 05 Sep 2017 10:57:06 -0700|INFO|johndoe|CONSOLE|AUTHZ|LOGIN|172.28.128.5|user “johndoe “ 
(1):Successful log in. (Data Connection)
1|Tue, 05 Sep 2017 10:58:32 -0700|INFO|johndoe|CONSOLE|ACTION|DELETE|172.28.128.5|
Action waitOverrideTest(50) was deleted

In case of audit entries other than those introduced in 9.5.11 or later, the messages are formatted as follows: <format-version>|<timestamp>|<message-priority>||||||<message>. For example:

1|Tue, 05 Sep 2017 10:57:06 -0700|INFO||||||user "johndoe" (1): Successful log in. (Data Connection)

Starting from BigFix 11.0.5, we introduced new audit logs on the BigFix Server related to the following actions:
  • Update Site Subscription (computers)
  • Create/Update/Delete Custom Sites
  • Create/Update/Delete Computer Groups
  • Create/Update/Delete Content (Fixlets, Tasks, Analyses, Baselines)
  • Globally Hide/Unhide Content.

Here are some examples of the new audit logs introduced:

When creating a new Fixlet:
1|Wed, 04 Jun 2025 18:18:17 +0200|INFO|BFAdmin|CONSOLE|FIXLET|CREATE|fe80::c3c3:14d0:994c:9467|
fixlet "Fixlet_Name" (Fixlet_ID) created
When modifying a Task:
1|Wed, 04 Jun 2025 18:18:17 +0200|INFO|BFAdmin|CONSOLE|TASK|UPDATE|fe80::c3c3:14d0:994c:9467|
task "Task_Name" (Task_ID) modified
When deleting a Baseline:
1|Wed, 04 Jun 2025 18:18:17 +0200|INFO|BFAdmin|CONSOLE|BASELINE|DELETE|fe80::c3c3:14d0:994c:9467|
baseline "Baseline_Name" (Baseline_ID) removed
When setting to hide/unhide globally Content:
1|Wed, 04 Jun 2025 18:41:22 +0200|INFO|BFAdmin|CONSOLE||UPDATE|fe80::c3c3:14d0:994c:9467|
Fixlet Id "ID" hide Globally
1|Wed, 04 Jun 2025 18:41:24 +0200|INFO|BFAdmin|CONSOLE||UPDATE|
fe80::c3c3:14d0:994c:9467|Fixlet Id "ID" unhide Globally