Steps to collect the DLP Endpoint Agent logs
search cancel

Steps to collect the DLP Endpoint Agent logs

book

Article ID: 160766

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention Endpoint Discover Data Loss Prevention

Issue/Introduction

How can the Data Loss Prevention (DLP) Endpoint Agent logs be collected?

Resolution

Note: Before collecting log files you will generally want to have the "FINEST" level logging set, then reproduce the issue and collect the logs. See Increase the logging level of DLP agents to FINEST for instructions on how to enable the "FINEST" level logging.

There are two general methods to gathering the agent log files. The first method is to remotely pull the logs via the Enforce console from the clients. Use the first method whenever possible. The second method is to collect the logs locally from the client by using the endpoint agent logdump tool or by deobfuscating the log files. The second method is used when the agent has no connectivity to the enforce console and the agent needs to be diagnosed.

Method 1: Remotely Pull Logs From Enforce Console

Gathering the Endpoint Agent logs directly from the Enforce UI is a two-step process in which an Endpoint Agent task is sent from the Enforce Server to the Endpoint Agent. Once the task is complete, then the logs can be gathered from the Endpoint Server.

Step 1: Instruct Agent to upload files to Endpoint Server

  1. Go to System > Agent Overview.
  2. Select the affected agent.
  3. After selecting the affected agent, select the drop down menu and select "Pull Logs".
  4. Select Agent logs then click OK

A task running icon (clipboard with the play button ) should now appear next to the agent. Once the log files have been collected from the agent this should disappear. Wait for the task running icon to disappear before moving to step 2.

Step 2: Collect logs from Endpoint Server

Once the task has been sent to the Endpoint Agent use the following steps to gather the Endpoint Agent logs from the Endpoint Servers.

  1. Go to System> Server> Logs
  2. Select the drop-down and choose the Endpoint Server to which the affected agent is reporting to.
  3. Select the Agent logs dialog box and Enforce logs (if needed)
  4. Select the Collect Logs button

An "in Progress" and "waiting to receive files from x servers" message should appear below the check boxes. Once the log files are available a link will appear to download a .zip file that contains the logs.

 

Method 2: Local Agent Log File Collection

This method is used when the agent is unable to connect to the server and upload the files. There are two options when collecting the agent log files locally. The first is to deobfuscate the logs. The second is to use the logdump utility. See Agent Install Source Files Information to get the agent tools needed for this method.

Option 1: Deobfuscate the logs

To deobfuscate the log file you can use the update_configuration.exe (windows only and versions earlier than and including DLP 15.0) as described in Increase the logging level of DLP agents to FINEST. The second option is to use the vontu_sqlite3 (Mac and Windows clients) tool to update the configuration table in the cg.ead and set Obfuscate to 0 for the Logging setting (also detailed in Increase the logging level of DLP agents to FINEST)

Example steps of using deobfuscating tools

  1. Copy endpoint tools to client machine.
  2. Stop the DLP Agent (use service_shutdown tool)
    #service_shutdown -p=<tool_password>
  3. Delete / Rename the old log files.
  4. Run tool to deobfuscate log (Either update_configuration or vontu_sqllite3) 
    #update_configuration.exe -name=Logging -setting=Obfuscate -type=int -value=0
    #vontu_sqlite3 -db=cg.ead
    #Update CONFIGURATION set VALUE=0 where NAME="Logging" and SETTING="Obfuscate";
  5. Start the DLP Agent.
  6. Verify the edpa logs are readable.
  7. Duplicate the issue.
  8. Collect log files (edpa*.log) for support.

Option 2: Use the logdump utility

The log dump utility can be used to read the obfuscated logs and then save them to a readable file. The main downside is that if the FINEST level logging is not set then the log files may not have the needed information to diagnose the issue.

Example steps using logdump utility:

  1. Copy the log dump utility to the client machine C:\Program Files\Manufacturer\Endpoint Agent
  2. Launch cmd as administrator from Agent install directory.
  3. Use command below to extract the logs
    logdump.exe -log=edpa_ext0.log -p=toolspassword > c:\edpa0.log
    logdump.exe -log=edpa_ext1.log -p=toolspassword > c:\edpa1.log
  4. run the command above for all subsequent log files separately.
  5. The log file in readable format is now stored in C:\ drive

Attachments