Collecting the DLP Endpoint Agent logs
search cancel

Collecting the DLP Endpoint Agent logs

book

Article ID: 160766

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention Endpoint Discover Data Loss Prevention

Issue/Introduction

Steps to collect the Data Loss Prevention (DLP) Endpoint Agent logs.

Resolution

Before collecting log files, we recommend setting the logging level to "FINEST", reproducing the issue, and then collecting the logs.

There are two methods to gather agent log files.

  • Method 1 (Recommended): Remotely pulling logs via the Enforce console
  • Method 2: Collecting logs locally from the client either by using the Endpoint agent logdump tool or by deobfuscating the log files. Use this method when the agent has no connectivity to the Enforce console and the agent needs to be diagnosed.

Method 1: Remotely pull logs via Enforce console

Gathering the Endpoint Agent logs directly from the Enforce UI is a two-step process in which an Endpoint Agent task is sent from the Enforce Server to the Endpoint Agent. Once the task is complete, then the logs can be gathered from the Endpoint Server.

Step 1: Instruct Agent to upload files to Endpoint Server

  1. Go to System > Agent Overview.
  2. Select the affected agent.
  3. From the dropdown menu, choose "Pull Logs" and select "Agent logs".
  4. Click OK.



  5. A task running icon (clipboard with the play button ) will appear next to the agent.

    Wait for the task to complete and the icon to disappear before moving to step 2.

Step 2: Collect logs from Endpoint Server

Once the task has been sent to the Endpoint Agent, gather the Endpoint Agent logs from the Endpoint Servers.

  1. Go to System > Server > Logs
  2. Select the Endpoint Server to which the affected agent is reporting.



  3. Check the "Agent logs" dialog box and "Enforce logs" if needed.
  4. Click "Collect Logs". An "In Progress" and "Waiting to receive files from x servers" message appears below the check boxes. 
  5. Once the log files are available, a link to download a .zip file containing the logs will appear.

Method 2: Local agent log file collection

This method is used when the agent cannot connect to the server and upload the files. There are two options for collecting agent log files locally:

  • Deobfuscate the logs
  • Use the logdump utility

See Agent install source files information to get the agent tools needed for this method.

Option 1: Deobfuscate the logs

To deobfuscate the log file you can use the update_configuration.exe (windows only and versions earlier than and including DLP 15.0) as described in Increase the logging level of DLP agents to FINEST. The second option is to use the vontu_sqlite3 (Mac and Windows clients) tool to update the configuration table in the cg.ead and set Obfuscate to 0 for the Logging setting (also detailed in Increase the logging level of DLP agents to FINEST)

Example steps of using deobfuscating tools

  1. Copy the endpoint tools to the client machine.
  2. Stop the DLP Agent using the "service_shutdown" tool:

    #service_shutdown -p=<tool_password>

  3. Delete or rename the old log files.
  4. Run the "update_configuration.exe" or "vontu_sqlite3" tool to deobfuscate the log file:

    #update_configuration.exe -name=Logging -setting=Obfuscate -type=int -value=0
    #vontu_sqlite3 -db=cg.ead
    #Update CONFIGURATION set VALUE=0 where NAME="Logging" and SETTING="Obfuscate";

  5. Start the DLP Agent.
  6. Verify that the edpa logs are readable.
  7. Duplicate the issue.
  8. Collect the log files (edpa*.log) for Support.

Option 2: Use the logdump utility

The log dump utility is used to read the obfuscated logs and then save them to a readable file.

Caution: If the FINEST level logging is not set then the log files may not have the needed information to diagnose the issue.

  1. Copy the logdump utility to the client machine (C:\Program Files\Manufacturer\Endpoint Agent).
  2. Launch the command prompt (cmd) as administrator from the Agent install directory.
  3. Use the following command to extract the logs:

    logdump.exe -log=edpa_ext0.log -p=toolspassword > c:\edpa0.log
    logdump.exe -log=edpa_ext1.log -p=toolspassword > c:\edpa1.log

    (Repeat the command for subsequent log files)

  4. The log files in readable format will be saved in the C:\ drive.

Option 3: Use Symdiag Tool

Symdiag will collect the DLP agent log files in addition to the other system information. See this KB for details on how to download and run Symdiag to generate the Symdiag output.