Tracing an incident in Endpoint edpa_ext0.log

book

Article ID: 159790

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

 The Endpoint Agent's edpa_ext0.log file in the Endpoint Agent directory contains information about any message that is processed. 

 

Resolution

By default, the edpa_ext0.log is obfuscated.  See TECH222092 on how to deobfuscate this file.

The edpa_ext0.log file contains a Request Id, which is the request number.  This number is added onto each of the lines relating to processing that request.  Once the file has been deobfuscated,  you can search for the Request Id within the file to follow the processing of the request.

Here are two examples of a request being processed - one that is not an incident, and one where an incident gets created:

Example of a request being processed that doesn't create an incident:

03/04/2009 10:06:54 | 4336 | INFO | MessageLogger | MESSAGETYPE_DETECTION_REQUEST MESSAGESOURCE_FILE_SYSTEM_CONNECTOR 03/04/2009 10:06:15 [

Request Id #106

Detection Request Details :

Session Command : Single Request

Request Type : Data In Motion Request

Dim Detection Request Details :

Process Id : 2368

Process Path : \Device\HarddiskVolume1\WINDOWS\explorer.exe

Application Name : Microsoft® Windows® Operating System Windows Explorer

User : First_Last

Domain : ENTERPRISE

Time Stamp : 01/14/1970 23:23:09

Dim Event Type : File System

DIM File Detection Request Details :

file: C:\Documents and Settings\aglockner\Recent\endpoint.lnk

 

03/04/2009 10:06:54 | 4336 | INFO | MessageLogger | MESSAGETYPE_SCHEDULE_DETECTION MESSAGESOURCE_DETECTION_CACHE 03/04/2009 10:06:54 [req#106]

03/04/2009 10:06:54 | 4336 | INFO | MessageLogger | MESSAGETYPE_DETECTION_RESULT MESSAGESOURCE_DETECTION 03/04/2009 10:06:54 [req#106 SUCCESS no incidents]

03/04/2009 10:06:54 | 4336 | INFO | MessageLogger | MESSAGETYPE_DETECTION_RESPONSE MESSAGESOURCE_POSTPROCESSOR 03/04/2009 10:06:54 [Request Id #106 SUCCESS allow

03/04/2009 10:06:54 | 4336 | INFO | MessageLogger | MESSAGETYPE_START_DETECTION MESSAGESOURCE_DETECTION_SCHEDULER 03/04/2009 10:06:54 [req#106]

 

 

 

Example of a request being processed that creates an incident:

 

Request Id #1655

Detection Request Details :

Session Command : Session Continue Request

Session Id : {929F7583-27AC-4C52-82D9-DC6A3654C404}

Request Type : Data In Motion Request

Dim Detection Request Details :

Process Id : 956

Process Path : \Device\HarddiskVolume1\Program Files\Internet Explorer\iexplore.exe

Application Name : Microsoft Internet Explorer

User : First_Last

Domain : ENTERPRISE

Time Stamp : 03/04/2009 10:08:32

Dim Event Type : HTTP(S)

HTTP(S) Details :

URL :

http://mail.google.com/mail/?ui=2&ik=2f295f4f11&at=xn3j2xzg8ss0y7hlbc1018js5frhba&view=up&act=sm&jsid=60eul0-qczu8v&cmid=1&rt=h&zx=t0ysph-yl24a8

Network Info Details :

Source IP : 10.20.24.36

Source Port : 2904

Source Domain :

Destination IP : 10.125.19.18

Destination Port : 80

Destination Host Name : mail.google.com

]

 

03/04/2009 10:08:32 | 4336 | INFO | MessageLogger | MESSAGETYPE_SCHEDULE_DETECTION MESSAGESOURCE_DETECTION_CACHE 03/04/2009 10:08:32 [req#1655]

03/04/2009 10:08:32 | 4336 | INFO | MessageLogger | MESSAGETYPE_START_DETECTION MESSAGESOURCE_DETECTION_SCHEDULER 03/04/2009 10:08:32 [req#1655]

03/04/2009 10:08:32 | 4336 | INFO | MessageLogger | MESSAGETYPE_DETECTION_RESULT MESSAGESOURCE_DETECTION 03/04/2009 10:08:32 [req#1655 SUCCESS has incidents]

03/04/2009 10:08:32 | 4336 | INFO | MessageLogger | MESSAGETYPE_DETECTION_RESPONSE MESSAGESOURCE_POSTPROCESSOR 03/04/2009 10:08:32 [

Request Id #1655 SUCCESS prevent

Scan Time : 0 ms]

 

NOTE:  If you see "MESSAGETYPE_DETECTION_RESULT" this indicates whether or not there were incidents. If you see "MESSAGETYPE_DETECTION_RESPONSE" then this indicates whether or not prevent happened.