DLP Release: 15.X, 16.X

The Delete Agent task is not recorded in the DLP audit logs.

To identify the user who ran the Delete Agent task, follow these steps:

1. Log in to your Enforce Server and navigate to the log directory:

   DRIVE:\ProgramData\Symantec\DataLossPrevention\EnforceServer\VERSION\logs\tomcat

2. Locate the `localhost_access_log` files, which are suffixed with the date. A new log file is generated daily. 

   For example: `localhost_access_log.2024-08-30.txt` (This log was generated on August 30th, 2024).

3. Open the log file for the date when you suspect the task was run. Search for the keyword `Deleteagents_New.do`.

   You should find a log entry similar to the following:

   IPADDRESS - Administrator [02/Sep/2024:23:48:40 -0700] "POST /ProtectManager/DeleteAgents_New.do HTTP/1.1" 302 - "https://servername/ProtectManager/ConfirmAgentTroubleshootTaskSubmission.do" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0" - 16 3B6C2F815CE9D444CBDBE732B7E4B5EB

4. In this log entry:

   - The first column displays the IP address of the user who ran the Delete Agent task.
   - The second column shows the Enforce username.
   - The third column indicates the date and time when the task was executed.
   - The subsequent part confirms that the Delete Agent task was performed.

By following these steps, you can determine which user executed the Delete Agent task in your environment.

Note: This process will reveal when the Delete Agent task was executed, but it will not provide information about which specific agents were deleted during the task.