ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Steps to collect the Endpoint Agent logs

book

Article ID: 160766

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention Endpoint Discover Data Loss Prevention

Issue/Introduction

How can the Data Loss Prevention (DLP) Endpoint Agent logs be collected?

Resolution

Note: Before collecting log files you will generally want to have the FINEST level logging set, then reproduce the issue and collect the logs. See Increase the logging level of DLP agents to FINEST for instructions on how to enable the FINEST level logging.

There are two general methods to gathering the agent log files. The first method is to remotely pull the logs via the Enforce console from the clients. Use the first method whenever possible. The second method is to collect the logs locally from the client by using the endpoint agent logdump tool or by deobfuscating the log files. The second method is used when the agent has no connectivity to the enforce console and the agent needs to be diagnosed.

Method 1: Remotely Pull Logs From Enforce Console

Gathering the Endpoint Agent logs directly from the Enforce UI is a two-step process in which an Endpoint Agent task is sent from the Enforce Server to the Endpoint Agent. Once the task is complete, then the logs can be gathered from the Endpoint Server.

Step 1: Instruct Agent to upload files to Endpoint Server

  1. Go to System> Agent Overview
  2. Select the affected agent.
    DLP 14.6 Console
  3. After selecting the affected agent, select the drop down menu and select "Pull Logs".
  4. Select Agent logs then click OK

A task running icon (clipboard with the play button) should now appear next to the agent. Once the log files have been collected from the agent this should disappear. Wait for the task running icon to disappear before moving to step 2.

Step 2: Collect logs from Endpoint Server

Once the task has been sent to the Endpoint Agent use the following steps to gather the Endpoint Agent logs from the Endpoint Servers.

  1. Go to System> Server> Logs
  2. Select the drop-down and choose the Endpoint Server
  3. Select the Agent logs dialog box and Enforce logs (if needed)
  4. Select the Collect Logs button

An "in Progress" and "waiting to receive files from x servers" message should appear below the check boxes. Once the log files are available a link will appear to download a .zip file that contains the logs.

 

Method 2: Local Agent Log File Collection

This method is used when the agent is unable to connect to the server and upload the files. There are two options when collecting the agent log files locally. The first is to deobfuscate the logs. The second is to use the logdump utility. See Agent Install Source Files Information to get the agent tools needed for this method.

Option 1: Deobfuscate the logs

To deobfuscate the log file you can use the update_configuration.exe (windows only and versions earlier than and including DLP 15.0) as described in Increase the logging level of DLP agents to FINEST. The second option is to use the vontu_sqlite3 (Mac and Windows clients) tool to update the configuration table in the cg.ead and set Obfuscate to 0 for the Logging setting (also detailed in Increase the logging level of DLP agents to FINEST)

Example steps of using deobfuscating tools

  1. Copy endpoint tools to client machine
  2. Stop the DLP Agent (use service_shutdown tool)
  3. Delete / Rename the old log files
  4. Start the DLP Agent
  5. Run tool to deobfuscate log (Either update_configuration or vontu_sqllite3)
  6. Stop the DLP Agent
  7. Start the DLP Agent
  8. Verify the edpa logs are readable 
  9. Duplicate the issue
  10. Collect log files (edpa*.log) for support 

Option 2: Use the logdump utility

The log dump utility can be used to read the obfuscated logs and then save them to a readable file. The main downside is that if the FINEST level logging is not set then the log files may not have the needed information to diagnose the issue.

Example steps using logdump utility:

  1. Copy the endpoint tools to the client machine
  2. Duplicate the issue
  3. Run logdump utility on the edpa logs.
  4. Collect the readable log file

Attachments