How do I deobfuscate or decrypt the logs for the Endpoint Agent?

book

Article ID: 159585

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention Endpoint Discover

Issue/Introduction

The log file on the Endpoint Agent (edpa_ext0.log) is obfuscated/encrypted.  Is there a way to view the Endpoint Agent log file?

Resolution

A log viewer tool is available that allows you to view the agent log.  This logdump utility is located within the AgentInstaller.zip file.

The logdump executable must be executed in the directory containing both the keystore file ( ks.ead ) and log file ( edpa_ext0.log ) from the same agent.

*Note: on 14.0 and later systems sto.ead must also be present for the tool to function*

How to execute the logdump tool:

  1. Open a command prompt.
  2. Navigate to the directory where the  ks.ead, sto.ead  and edpa_ext0.log files are present.
  3. Type the following command:

logdump -log=edpa_ext0.log -p=ToolsPassword > log.txt

The log.txt will contain the deobfuscated logs.

If the password is not entered at the command line, the tool will prompt you for a password.

Note: All Endpoint tools are located in the installation package in the Tools directory.