How to increase the logging level when troubleshooting Data Loss Prevention (DLP) agents.
There are multiple methods of increasing the logging level to FINEST on DLP agents. Use the one that best fits your needs.
A Task Running icon (clipboard with a play button) will appear next to the agent. If the agent does not communicate with the server in the configured timeout window then the task will timeout and the logging level will not be increased. If that is the case then check the client communication or enable logging through a script or locally to the machine (as shown in the options below)
From DLP 16+ The number of files that the agent will write to the local disk can also be set from the Enforce console (for 15.x versions see method 2 below). This is useful if the issue you are reproducing takes longer than 15-20 minutes which is the typical time spanned by the default number of files (2) when FINEST logging is enabled.
To increase it:
NOTE: This will increase the disk space usage on the local machine by multiples of 5 MB (default log file size). If for example you set MaxFiles to 200 the agent will record upto 1GB of log files before overwriting the oldest log file.
See Collect the Symantec DLP Agent logs.
This is the only local option for OSX Mac clients to increase the logging level because there is no update_configuration.exe equivalent tool for mac.
This method is used if the agents are not communicating with the DLP Endpoint server or if you want to change the log size for a single Endpoint Agent machine. The additional commands in this method also increase the size and number of log files in case the logs are too small for the increased logging level.
Steps:
Update CONFIGURATION set VALUE = 'No' where setting = 'EnableWatchdog';
Delete from ConfigurationCollectionBlob;Update CONFIGURATION set VALUE=0 where NAME="Logging" and SETTING="Obfuscate";
Update CONFIGURATION set VALUE="1" where NAME="LoggerStatus" and SETTING="IsDefaultLogLevelChanged";
Update CONFIGURATION set VALUE="FINEST" where NAME="LogLevel" and SETTING="DefaultLevel";
REPLACE INTO configuration VALUES('Logging','MaxFileSizeBytes','long','10240000');
REPLACE INTO configuration VALUES('Logging','MaxFiles','int','10');
.exit
The edpa*.log files will now be readable on the client-side with the increased logging level set to FINEST and the increased number of files and log file size. Duplicate the issue and collect the logs
Once duplicate and logging is complete. Run Steps 2 and 3 again and then use the following
Update CONFIGURATION set VALUE = 'Yes' where setting = 'EnableWatchdog';
Update CONFIGURATION set VALUE=1 where NAME="Logging" and SETTING="Obfuscate";
Update CONFIGURATION set VALUE="1" where NAME="LoggerStatus" and SETTING="IsDefaultLogLevelChanged";
Update CONFIGURATION set VALUE="INFO" where NAME="LogLevel" and SETTING="DefaultLevel";
REPLACE INTO configuration VALUES('Logging','MaxFileSizeBytes','long','5,120,000');
REPLACE INTO configuration VALUES('Logging','MaxFiles','int','2');
.exit
This method can be used to enable logging on many machines remotely via a script similar to the functionality of update_configuration.exe by calling the Vontu_sqlite3.exe with the appropriate arguments and then echoing in the sql command. Note that this will expose the tools password in the script used. This method is valid in all current versions of DLP.
The following is an example windows script that can be used as a template:
REM Sets FINEST level logging with increased max files and max size and deobfuscates log
cd "program files\Manufacturer\Endpoint Agent\
echo Update CONFIGURATION set VALUE = 'No' where setting = 'EnableWatchdog';
echo Delete from ConfigurationCollectionBlob;echo Update CONFIGURATION set VALUE=0 where NAME="Logging" and SETTING="Obfuscate"; | vontu_sqlite3.exe -db=cg.ead -p=protect4
echo Update CONFIGURATION set VALUE="1" where NAME="LoggerStatus" and SETTING="IsDefaultLogLevelChanged"; | vontu_sqlite3.exe -db=cg.ead -p=protect4
echo Update CONFIGURATION set VALUE="FINEST" where NAME="LogLevel" and SETTING="DefaultLevel"; | vontu_sqlite3.exe -db=cg.ead -p=protect4
echo Update CONFIGURATION set VALUE="10240000" where NAME="Logging" and SETTING="MaxFileSizeBytes"; | vontu_sqlite3.exe -db=cg.ead -p=protect4
echo Update CONFIGURATION set VALUE="10" where NAME="Logging" and SETTING="MaxFiles"; | vontu_sqlite3.exe -db=cg.ead -p=protect4
echo INSERT INTO configuration VALUES('Logging','MaxFileSizeBytes','long','10240000'); | vontu_sqlite3.exe -db=cg.ead -p=protect4
echo INSERT INTO configuration VALUES('Logging','MaxFiles','long','10'); | vontu_sqlite3.exe -db=cg.ead -p=protect4
service_shutdown -p=<tool_password>
net start edpa
As described in Method 2, after the required Agent FINEST logs are produced, please remember to change the EnableWatchdog setting back to 'Yes', otherwise in the future the WDP process will not start with the Agent startup.