How can the Data Loss Prevention (DLP) Endpoint Agent logs be collected?
Note: Before collecting log files you will generally want to have the FINEST level logging set, then reproduce the issue and collect the logs. See Increase the logging level of DLP agents to FINEST for instructions on how to enable the FINEST level logging.
There are two general methods to gathering the agent log files. The first method is to remotely pull the logs via the Enforce console from the clients. Use the first method whenever possible. The second method is to collect the logs locally from the client by using the endpoint agent logdump tool or by deobfuscating the log files. The second method is used when the agent has no connectivity to the enforce console and the agent needs to be diagnosed.
Method 1: Remotely Pull Logs From Enforce Console
Gathering the Endpoint Agent logs directly from the Enforce UI is a two-step process in which an Endpoint Agent task is sent from the Enforce Server to the Endpoint Agent. Once the task is complete, then the logs can be gathered from the Endpoint Server.
Step 1: Instruct Agent to upload files to Endpoint Server
A task running icon (clipboard with the play button) should now appear next to the agent. Once the log files have been collected from the agent this should disappear. Wait for the task running icon to disappear before moving to step 2.
Step 2: Collect logs from Endpoint Server
Once the task has been sent to the Endpoint Agent use the following steps to gather the Endpoint Agent logs from the Endpoint Servers.
An "in Progress" and "waiting to receive files from x servers" message should appear below the check boxes. Once the log files are available a link will appear to download a .zip file that contains the logs.
Method 2: Local Agent Log File Collection
This method is used when the agent is unable to connect to the server and upload the files. There are two options when collecting the agent log files locally. The first is to deobfuscate the logs. The second is to use the logdump utility. See Agent Install Source Files Information to get the agent tools needed for this method.
Option 1: Deobfuscate the logs
To deobfuscate the log file you can use the update_configuration.exe (windows only and versions earlier than and including DLP 15.0) as described in Increase the logging level of DLP agents to FINEST. The second option is to use the vontu_sqlite3 (Mac and Windows clients) tool to update the configuration table in the cg.ead and set Obfuscate to 0 for the Logging setting (also detailed in Increase the logging level of DLP agents to FINEST)
Example steps of using deobfuscating tools
Option 2: Use the logdump utility
The log dump utility can be used to read the obfuscated logs and then save them to a readable file. The main downside is that if the FINEST level logging is not set then the log files may not have the needed information to diagnose the issue.
Example steps using logdump utility: