Increase the logging level of DLP agents to FINEST
search cancel

Increase the logging level of DLP agents to FINEST

book

Article ID: 170750

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention

Issue/Introduction

How to increase the logging level when troubleshooting Data Loss Prevention (DLP) agents.

Resolution

There are multiple methods of increasing the logging level to FINEST on DLP agents. Use the one that best fits your needs.

Table of Contents

Method 1: Using the console

  1. Browse to the Agent Overview: System > Agents > Overview. Click the number under the green checkbox to view the okay clients.
  2. Check the checkbox next to the agent you want to increase the logging level for.
  3. Click the Troubleshooting dropdown and select "Set Log Level":

     
  4. On the Log Level drop-down select "FINEST". Leave the all agent logger components checked then click OK.

A Task Running icon (clipboard with a play button) will appear next to the agent. If the agent does not communicate with the server in the configured timeout window then the task will timeout and the logging level will not be increased. If that is the case then check the client communication or enable logging through a script or locally to the machine (as shown in the options below)

 

Increasing the number of log files created

From DLP 16+ The number of files that the agent will write to the local disk can also be set from the Enforce console (for 15.x versions see method 2 below). This is useful if the issue you are reproducing takes longer than 15-20 minutes which is the typical time spanned by the default number of files (2) when FINEST logging is enabled. 

To increase it:

  1. Navigate to System > Agents > Agent Configuration
  2. Edit the desired configuration
  3. Click the Advanced Settings tab 
  4. Locate the parameter Logging.MaxFiles and set the value accordingly for the time you require.

NOTE: This will increase the disk space usage on the local machine by multiples of 5 MB (default log file size). If for example you set MaxFiles to 200 the agent will record upto 1GB of log files before overwriting the oldest log file.  

 

See Collect the Symantec DLP Agent logs.

 

Method 2: Using the Vontu_sqlite3 tool local to the client

This is the only local option for OSX Mac clients to increase the logging level because there is no update_configuration.exe equivalent tool for mac.

This method is used if the agents are not communicating with the DLP Endpoint server or if you want to change the log size for a single Endpoint Agent machine. The additional commands in this method also increase the size and number of log files in case the logs are too small for the increased logging level.

Steps:

  1. Add the agent tools to the agent folder

    Locate the agent install files .zip (see Agent Install Source Files Information) that was used when generating the agent install package. Extract and copy the tools folder appropriate for the client architecture to the client machine in the DLP Endpoint Agent folder. We specifically need the vontu_sqlite3 and service_shutdown tools. 

    For reference, the default agent locations are:
      Mac OSX: /Library/Manufacturer/Endpoint\ Agent/
      Windows: C:\Program Files\Manufacturer\Endpoint Agent\

  2. Stop the services:
    From an Admin command prompt, change to the agent folder and run the following

    #Windows:
    service_shutdown

    #Mac:
    sudo ./service_shutdown


  3. From the command prompt launch vontu_sqlite3

    Example:
    vontu_sqlite3 -db=cg.ead

    Apply the tools password as needed.

  4. In Vontu_sqlite3 run the following commands to update the configuration (Note these are case sensitive):
Update CONFIGURATION set VALUE = 'No' where setting = 'EnableWatchdog';
Delete from ConfigurationCollectionBlob;
Update CONFIGURATION set VALUE=0 where NAME="Logging" and SETTING="Obfuscate";
Update CONFIGURATION set VALUE="1" where NAME="LoggerStatus" and SETTING="IsDefaultLogLevelChanged";
Update CONFIGURATION set VALUE="FINEST" where NAME="LogLevel" and SETTING="DefaultLevel";
REPLACE INTO configuration VALUES('Logging','MaxFileSizeBytes','long','10240000');
REPLACE INTO configuration VALUES('Logging','MaxFiles','int','10');
.exit
  1. Run the following commands remove the old log files then restart the edpa and WDP services:

    # Windows
    del edpa*.log
    sc start edpa

    #Mac OSX
    sudo rm edpa*.log
    sudo launchctl load /Library/LaunchDaemons/com.symantec.manufacturer.agent.plist


The edpa*.log files will now be readable on the client-side with the increased logging level set to FINEST and the increased number of files and log file size. Duplicate the issue and collect the logs

  1. Restore default logging

Once duplicate and logging is complete. Run Steps 2 and 3 again and then use the following

Update CONFIGURATION set VALUE = 'Yes' where setting = 'EnableWatchdog';
Update CONFIGURATION set VALUE=1 where NAME="Logging" and SETTING="Obfuscate";
Update CONFIGURATION set VALUE="1" where NAME="LoggerStatus" and SETTING="IsDefaultLogLevelChanged";
Update CONFIGURATION set VALUE="INFO" where NAME="LogLevel" and SETTING="DefaultLevel";
REPLACE INTO configuration VALUES('Logging','MaxFileSizeBytes','long','5,120,000');
REPLACE INTO configuration VALUES('Logging','MaxFiles','int','2');
.exit
  1. Run the following commands remove the old log files then restart the edpa and WDP services:

    # Windows
    sc start edpa

    #Mac OSX
    sudo launchctl load /Library/LaunchDaemons/com.symantec.manufacturer.agent.plist


Method 3: Using the Vontu_sqlite3 via script

This method can be used to enable logging on many machines remotely via a script similar to the functionality of update_configuration.exe by calling the Vontu_sqlite3.exe with the appropriate arguments and then echoing in the sql command. Note that this will expose the tools password in the script used. This method is valid in all current versions of DLP. 

The following is an example windows script that can be used as a template:

REM Sets FINEST level logging with increased max files and max size and deobfuscates log

cd "program files\Manufacturer\Endpoint Agent\

echo Update CONFIGURATION set VALUE = 'No' where setting = 'EnableWatchdog';
echo Delete from ConfigurationCollectionBlob;echo Update CONFIGURATION set VALUE=0 where NAME="Logging" and SETTING="Obfuscate"; | vontu_sqlite3.exe -db=cg.ead -p=protect4
echo Update CONFIGURATION set VALUE="1" where NAME="LoggerStatus" and SETTING="IsDefaultLogLevelChanged"; | vontu_sqlite3.exe -db=cg.ead -p=protect4
echo Update CONFIGURATION set VALUE="FINEST" where NAME="LogLevel" and SETTING="DefaultLevel"; | vontu_sqlite3.exe -db=cg.ead -p=protect4
echo Update CONFIGURATION set VALUE="10240000" where NAME="Logging" and SETTING="MaxFileSizeBytes"; | vontu_sqlite3.exe -db=cg.ead -p=protect4
echo Update CONFIGURATION set VALUE="10" where NAME="Logging" and SETTING="MaxFiles"; | vontu_sqlite3.exe -db=cg.ead -p=protect4
echo INSERT INTO configuration VALUES('Logging','MaxFileSizeBytes','long','10240000'); | vontu_sqlite3.exe -db=cg.ead -p=protect4
echo INSERT INTO configuration VALUES('Logging','MaxFiles','long','10'); | vontu_sqlite3.exe -db=cg.ead -p=protect4

service_shutdown -p=<tool_password>
net start edpa

As described in Method 2, after the required Agent FINEST logs are produced, please remember to change the EnableWatchdog setting back to 'Yes', otherwise in the future the WDP process will not start with the Agent startup. 

 

 

Powered by Wolken Software