Please reference this article to collect logs using the DSA Support Tool

This option will require the agent service to be restarted and will continue to work even after reboot

1. Disable self-protection, For the step-by-step procedure, click here.
2. Create a file named ds_agent.ini under the %SystemRoot% directory (example: C:\Windows\ds_agent.ini).
3. Put the following line inside the file:

   Complete debug logs: Trace=*

   Or AM only logs: Trace=AM,AMSP,dsp.am.*

   (Note: This step will turn off some DSA modules logging which are ON by default)

4. Restart the Trend Micro Deep Security Agent service
5. Open the {AMSP installation folder}\debug\ folder and make sure the Amsp_LocalDebugLog.log file exists.

   Also check new log entries are kept written to this file. See notes for more details about “How to verify the collected logs”.

6. Collect the diagnostic package. For the step-by-step procedure, click here. 
7. After you are done testing/replicating the issue, disable the AM debug logging
   1. Delete the ds_agent.ini
   2. Restart DSA service to disable logging

The trace settings can be changed on-the-fly via a protocol command. To configure the trace settings, go to C:\Program Files\Trend Micro\Deep Security Agent and execute the command that corresponds to the action you want to do.

1. Change agent debug logging level by the following command

      sendCommand --get Trace trace+=AM,AMSP,dsp.am.*
   

   Note: If you want to get a complete debug logs including other modules, please use the following command

      sendCommand --get Trace trace+=*

2. Open the {AMSP installation folder}\debug\ folder and make sure the Amsp_LocalDebugLog.log file exists. Also check new log entries are kept written to this file. See notes for more details about “How to verify the collected logs”.
3. Collect the diagnostic package. Reference https://help.deepsecurity.trendmicro.com/20_0/on-premise/diagnostic.html for more details.
4. After finishing testing, remember to disable AM logging by the following command

      sendCommand --get Trace trace-=AM,AMSP,dsp.am.*

The following manual steps are required in Deep Security 9.0,9.6, 10.0 and 11.0 to collect AMSP local mode debug logs.

1. 1.Disable the self-protection and stop the AMSP service.
2. Go to the AMSP installation folder. By default, it is located under C:\Program Files\Trend Micro\AMSP.
3. Open the AmspConfig.ini file with an administrative permission.
4. Set the following parameters and save the changes:

   DebugLogAMSPServiceStart=1
   DebugLogMode=0
   
   Where the values of DebugLogMode are as follow:
   
   0 - Local mode
   1 - Remote pipe mode

5. Start the AMSP service.
6. Open the AMSP installation folder\debug\ folder and make sure the Amsp_LocalDebugLog.log file exists.

1. Verify the log file location

   Service Name	Log File Folder	Log Filename	Platform
   Deep Security Agent	C:\ProgramData\Trend Micro\Deep Security Agent\	ds_agent(-##).log	Windows Vista and above
   Deep Security Agent	C:\Documents and Settings\All Users\Application Data\Trend Micro\Deep Security Agent	ds_agent(-##).log	Older than Windows Vista
   Trend Micro Solutions Platform	C:\Program Files\Trend Micro\AMSP\debug	Amsp_Event.log Amsp_LocalDebugLog(.#).log	All

2. Verify collected logs
   • Verify keywords in the collected logs

     Service Name	Log Filename	Keywords
     Deep Security Agent	ds_agent.log	[dsp.am.service/5]  [AM/5] [AMSP/5]
     Trend Micro Solutions Platform	Amsp_Event.log	Enable debug log: [EVENT],[Core Command Manager], Attempt to change log level from 0 to 0x1! Disable debug log: [EVENT],[Core Command Manager], Attempt to change log level from 0x1 to 0!

   • Check the collected logs contains information within the time duration after enabling log.

This option will require the agent service to be restarted and will continue to work even after reboot

1. Create a file named ds_agent.conf under the /etc directory (example: /etc/ds_agent.conf).
2. Put the following line inside the file:

   Complete debug logs: Trace=*

   Or AM only logs: Trace=AM,AMSP,dsp.am.*

   Here is a one liner to enable debugging

      echo Trace=* > /etc/ds_agent.conf*
   

    

3. Restart the ds_agent service

         sudo service ds_agent restart

4. Collect the diagnostic package. For the step-by-step procedure, click here. 

   The log files (ds_agent.log) are located here: /var/opt/ds_agent/diag/

5. After you are done testing/replicating the issue, disable the AM debug logging
   1. Delete the /etc/ds_agent.conf
   2. Restart DSA service to disable logging

The agent writes its log information to disk automatically. All of the tracing and error/warning/information messages go to a disk file named ds_agent.log. This disk file gets rotated automatically and is included in an agent diagnostic package.

The trace settings can be changed on-the-fly via a protocol command. To configure the trace settings, go to /opt/ds_agent/ and execute the command that corresponds to the action you want to do.

1. Change agent debug logging level by the following command

      ./sendCommand --get Trace trace+=*
   

2. Collect the diagnostic package. Reference https://help.deepsecurity.trendmicro.com/20_0/on-premise/diagnostic.html for more details.
3. After finishing testing, remember to disable AM logging by the following command

      ./sendCommand --get Trace trace-=*

1. Create file /var/opt/ds_agent/am/ds_am.ini for setting debug log.
2. Set the following parameter to ds_am.ini and save changes (note: "vmpd_log_file_count" and "vmpd_log_file_MB" are supported in DSA 10.2+.):
   main=debug_level=8,vmpd_log_file_count=[2~1000],vmpd_log_file_MB=[1~100]

   For example:
   main=debug_level=8,vmpd_log_file_count=50,vmpd_log_file_MB=100

3. Restart agent for applied the change:
   Command:

   service ds_agent restart 

4. The log file are kept in /var/opt/ds_agent/diag, the file name will be ds_am.log
5. Create diagnostic package to collect logs.