search cancel

How do I deobfuscate or decrypt the logs for the Endpoint Agent?


Article ID: 159585


Updated On:


Data Loss Prevention Endpoint Prevent Data Loss Prevention Endpoint Discover


The log file on the Endpoint Agent (edpa_ext0.log) is obfuscated/encrypted.  Is there a way to view the Endpoint Agent log file?


A log viewer tool is available that allows you to view the agent log.  This logdump utility is located within the file.

The logdump executable must be executed in the directory containing both the keystore file ( ks.ead ) and log file ( edpa_ext0.log ) from the same agent.

*Note: on 14.0 and later systems sto.ead must also be present for the tool to function*

How to execute the logdump tool:

  1. Open a command prompt.
  2. Navigate to the directory where the  ks.ead, sto.ead  and edpa_ext0.log files are present.
  3. Type the following command:

logdump -log=edpa_ext0.log -p=ToolsPassword > log.txt

The log.txt will contain the deobfuscated logs.

If the password is not entered at the command line, the tool will prompt you for a password.

Note: All Endpoint tools are located in the installation package in the Tools directory.