How to increase the logging level when troubleshooting Data Loss Prevention (DLP) agents.
There are multiple methods of increasing the logging level to FINEST on DLP agents. Use the one that best fits your needs.
A Task Running icon (clipboard with a play button) will appear next to the agent. If the agent does not communicate with the server in the configured timeout window then the task will timeout and the logging level will not be increased. If that is the case then check the client communication or enable logging through a script or locally to the machine (as shown in the options below)
From DLP 16+ The number of files that the agent will write to the local disk can also be set from the Enforce console (for 15.x versions see method 2 below). This is useful if the issue you are reproducing takes longer than 15-20 minutes which is the typical time spanned by the default number of files (2) when FINEST logging is enabled.
To increase it:
NOTE: This will increase the disk space usage on the local machine by multiples of 5 MB (default log file size). If for example you set MaxFiles to 200 the agent will record upto 1GB of log files before overwriting the oldest log file.
See Collect the Symantec DLP Agent logs.
This is the only local option for OSX Mac clients to increase the logging level because there is no update_configuration.exe equivalent tool for mac.
This method is used if the agents are not communicating with the DLP Endpoint server or if you want to change the log size for a single Endpoint Agent machine. The additional commands in this method also increase the size and number of log files in case the logs are too small for the increased logging level.
Locate the agent install files .zip (see Agent Install Source Files Information) that was used when generating the agent install package. Extract and copy the tools folder appropriate for the client architecture to the client machine in the DLP Endpoint Agent folder. We specifically need the vontu_sqlite3 and service_shutdown tools.
For reference, the default agent locations are:
Once the tools are in the DLP Agent folder run the following commands:
service_shutdown
Apply the tools password as needed. Then use the following commands in the vontu_sqllite3 tool to update the configuration (Note these are case sensitive):
Update CONFIGURATION set VALUE = 'No' where setting = 'EnableWatchdog';
Delete from ConfigurationCollectionBlob;
Update CONFIGURATION set VALUE = 'Yes' where setting = 'EnableWatchdog';
With the above two executed, please then run the below commands to enable FINEST logging, decrease log obfuscation and increase the log size and count:
Update CONFIGURATION set VALUE=0 where NAME="Logging" and SETTING="Obfuscate";
Update CONFIGURATION set VALUE="1" where NAME="LoggerStatus" and SETTING="IsDefaultLogLevelChanged";
Update CONFIGURATION set VALUE="FINEST" where NAME="LogLevel" and SETTING="DefaultLevel";
REPLACE INTO configuration VALUES('Logging','MaxFileSizeBytes','long','10240000');
REPLACE INTO configuration VALUES('Logging','MaxFiles','int','10');
.exit
Now run the following commands remove the old log files then restart the edpa and WDP services:
del edpa*.log
sc start edpa
sudo rm edpa*.log
sudo launchctl load /Library/LaunchDaemons/com.symantec.manufacturer.agent.plist
The edpa*.log files will now be readable on the client-side with the increased logging level set to FINEST and the increased number of files and log file size.
This method can be used to enable logging on many machines remotely via a script similar to the functionality of update_configuration.exe by calling the Vontu_sqlite3.exe with the appropriate arguments and then echoing in the sql command. Note that this will expose the tools password in the script used. This method is valid in all current versions of DLP.
The following is an example windows script that can be used as a template:
REM Sets FINEST level logging with increased max files and max size and deobfuscates log
cd "program files\Manufacturer\Endpoint Agent\
echo Update CONFIGURATION set VALUE = 'No' where setting = 'EnableWatchdog';
echo Delete from ConfigurationCollectionBlob;
echo Update CONFIGURATION set VALUE=0 where NAME="Logging" and SETTING="Obfuscate"; | vontu_sqlite3.exe -db=cg.ead -p=protect4
echo Update CONFIGURATION set VALUE="1" where NAME="LoggerStatus" and SETTING="IsDefaultLogLevelChanged"; | vontu_sqlite3.exe -db=cg.ead -p=protect4
echo Update CONFIGURATION set VALUE="FINEST" where NAME="LogLevel" and SETTING="DefaultLevel"; | vontu_sqlite3.exe -db=cg.ead -p=protect4
echo Update CONFIGURATION set VALUE="10240000" where NAME="Logging" and SETTING="MaxFileSizeBytes"; | vontu_sqlite3.exe -db=cg.ead -p=protect4
echo Update CONFIGURATION set VALUE="10" where NAME="Logging" and SETTING="MaxFiles"; | vontu_sqlite3.exe -db=cg.ead -p=protect4
echo INSERT INTO configuration VALUES('Logging','MaxFileSizeBytes','long','10240000'); | vontu_sqlite3.exe -db=cg.ead -p=protect4
echo INSERT INTO configuration VALUES('Logging','MaxFiles','long','10'); | vontu_sqlite3.exe -db=cg.ead -p=protect4
service_shutdown -p=<tool_password>
net start edpa
As described in Method 2, after the required Agent FINEST logs are produced, please remember to change the EnableWatchdog setting back to 'Yes', otherwise in the future the WDP process will not start with the Agent startup.