How to collect the Endpoint Agent logs

There are two general methods to gathering the agent log files. The first method is to remotely pull the logs via the Enforce console from the clients. Use the first method whenever possible. The second method is to collect the logs locally from the client by using the endpoint agent logdump tool or by deobfuscating the log files. The second method is used when the agent has no connectivity to the enforce console and the agent needs to be diagnosed.

Method 1: Remotely Pull Logs From Enforce Console

Gathering the Endpoint Agent logs directly from the Enforce UI is a two step process in which an Endpoint Agent task is sent from the Enforce Server to the Endpoint Agent. Once the task is complete, then the logs can be gathered from the Endpoint Server.

Step 1: Instruct Agent to upload files to Endpoint Server

1. Go to System> Agent Overview
2. Select the affected agent.
   
3. After selecting the affected agent, select the drop down menu and select “Pull Logs”.
4. Select Agent logs then click OK
   

A task running icon (clipboard with play button) should now appear next to the agent. Once the log files have been collected from the agent this should disappear. Wait for the task running icon to disappear before moving to step 2.

Step 2: Collect logs from Endpoint Server

Once the task has been sent to the Endpoint Agent use the following steps to gather the Endpoint Agent logs from the Endpoint Servers.

1. Go to System> Server> Logs
2. Select the drop down and choose the Endpoint Server
3. Select the Agent logs dialog box and Enforce logs (if needed)
   
4. Select Collect Logs button

An “in Progress” and “waiting to receive files from x servers” message should appear below the check boxes. Once the log files are available a link will appear to download a .zip that contains the logs.

Method 2: Local Agent Log File Collection

This method is used when the agent is unable to connect to the server and upload the files. There are two options when collecting the agent log files locally. The first is to deobfuscate the logs. The second is to use the logdump utility.

Option 1: Deobfuscate the logs

To deobfuscate the log file you can use the update_configuration.exe (windows only and versions earlier than and including DLP 15.0) . The second option is to use the vontu_sqlite3 (Mac and Windows clients) tool to update the configuration table in the cg.ead and set Obfuscate to 0 for the Logging setting

Example steps of using deobfuscating tools

1. Copy endpoint tools to client machine
2. Stop the DLP Agent (use service_shutdown tool)
3. Delete / Rename the old log files
4. Start the DLP Agent
5. Run tool to deobfuscate log (Either update_configuration or vontu_sqllite3)
6. Stop the DLP Agent
7. Start the DLP Agent
8. Verify the edpa logs are readable
9. Duplicate the issue
10. Collect log files (edpa*.log) for support

Option 2: Use the logdump utility

The log dump utility can be used to read the obfuscated logs and then save them to a readable file. The main downside is that if the FINEST level logging is not set then the log files may not have the needed information to diagnose the issue.

Example steps using logdump utility:

1. Copy endpoint tools to client machine
2. Duplicate issue
3. Run logdump utility on edpa logs.
4. Collect readable log file