-
Symantec Articles
-
- Converting your LOB tables from BasicFiles to SecureFiles format in Symantec Data Loss Prevention 14.6 and 15.x:
- Error: "ORA-28000: the account is locked" in Symantec DLP Enforce
- How to change the "protect" user password in the Oracle database for Symantec DLP
- How to default to the local database when logging in from the command line
- How to Extend Oracle tablespace (LOB_TABLESPACE, USERS, etc.) when almost full
- How to Removing Oracle Database Client Software for symantec DLP
- Show all articles ( 1 ) Collapse Articles
-
- Best Practice for Endpoint Agents with Antivirus Protection
- Creating a new agent attribute in Symantec DLP
- Generating agent installation packages for Symantec DLP
- How to collect the Endpoint Agent logs
- How to install the Symantec DLP Agent (Windows)
- How to remove the Symantec DLP Endpoint Agent (Mac)
- How to remove the Symantec DLP Endpoint Agent (Windows)
- How to Speed up the incident traffic from endpoint to endpoint server
- How to start DLP Agents that run on Mac endpoints
- How to troubleshoot DLP Agent status not reporting as expected on Enforce
- Troubleshoot Agents not reporting into the Enforce Console
- Troubleshooting Symantec File Reader Restarts
- Show all articles ( 7 ) Collapse Articles
-
- Configuring LDAP Lookup Plugins in Symantec DLP 15.5+
- Creating a new agent attribute in Symantec DLP
- Default ports used by Symantec DLP
- Disable SSLv3, TLSv1.1, and TLSv1.0 on Data Loss Prevention components
- fixing Enforce Server migration fail for three-tier environments due to "DatabaseProcessCheck"
- Generating Syslog messages from Symantec Data Loss Prevention
- How To Access DLP incidents
- How to Configure AD User login Authentication in Enforce for Data Loss Prevention 15.x and above
- How to configure the LDAP Lookup Plug-In within Symantec DLP
- How to create a report in Symantec DLP
- How To create a user role in Symantec DLP
- How to create users in Symantec DLP
- How to create, sign, and import an SSL certificate signed by a Trusted Certificate Authority
- How to create, start & stop Discover scans in Symantec DLP
- How to enable Finest level logging on DLP agents
- How to enable Syslog Logging for Symantec Data Loss Prevention
- How to export incidents in Symantec DLP
- How to filter incidents and Summarise in Symatec DLP
- How to gather a process dump using the ProcDump Tool
- How to increase the max number of incidents exported within Symantec DLP
- How To Login to the Symantec DLP Console
- How to Obtain a Broadcom/Symantec Support Site ID
- How to obtain the Symantec DLP Server Log files: location and description
- How to restart Symantec DLP services (14.6-15.0)
- How to restart Symantec DLP Services for Oracle Patching
- How To Restore the DLP Enforce Server across platforms in three-tier deployments
- How to set incident status in Symantec DLP
- How to solve Error: "Error 1802: Corrupted incident received"
- The maximum number of Agents than can be allowed to export, print or mail from Agents Summary Report or Agents Legacy Summary Report.
- What Are the Differences Between the “same” and “any” Components in Symantec DLP Rules?
- Show all articles ( 25 ) Collapse Articles
-
- Best Practices for Scanning Files Larger Than 30MB Using Discover
- Default ports used by Symantec DLP
- How To Access DLP incidents
- How to filter incidents and Summarise in Symatec DLP
- How To troubleshoot DLP Network Discover scan common errors
- Symantec Network Detection is not working for DLP User Groups that index the Domain Users AD Security Group
- Troubleshooting Symantec File Reader Restarts
- Show all articles ( 2 ) Collapse Articles
-
-
Netskope Articles
- Articles coming soon
-
CloudKnox Articles
- Articles coming soon
-
O365
- Articles coming soon
-
DLP Programmes
-
How To Guides
4.2 out Of 5 Stars
5 Stars | 0% | |
4 Stars | 67% | |
3 Stars | 33% | |
2 Stars | 0% | |
1 Stars | 0% |
There are two general methods to gathering the agent log files. The first method is to remotely pull the logs via the Enforce console from the clients. Use the first method whenever possible. The second method is to collect the logs locally from the client by using the endpoint agent logdump tool or by deobfuscating the log files. The second method is used when the agent has no connectivity to the enforce console and the agent needs to be diagnosed.
Method 1: Remotely Pull Logs From Enforce Console
Gathering the Endpoint Agent logs directly from the Enforce UI is a two step process in which an Endpoint Agent task is sent from the Enforce Server to the Endpoint Agent. Once the task is complete, then the logs can be gathered from the Endpoint Server.
Step 1: Instruct Agent to upload files to Endpoint Server
- Go to System> Agent Overview
- Select the affected agent.
- After selecting the affected agent, select the drop down menu and select “Pull Logs”.
- Select Agent logs then click OK
A task running icon (clipboard with play button) should now appear next to the agent. Once the log files have been collected from the agent this should disappear. Wait for the task running icon to disappear before moving to step 2.
Step 2: Collect logs from Endpoint Server
Once the task has been sent to the Endpoint Agent use the following steps to gather the Endpoint Agent logs from the Endpoint Servers.
- Go to System> Server> Logs
- Select the drop down and choose the Endpoint Server
- Select the Agent logs dialog box and Enforce logs (if needed)
- Select Collect Logs button
An “in Progress” and “waiting to receive files from x servers” message should appear below the check boxes. Once the log files are available a link will appear to download a .zip that contains the logs.
Method 2: Local Agent Log File Collection
This method is used when the agent is unable to connect to the server and upload the files. There are two options when collecting the agent log files locally. The first is to deobfuscate the logs. The second is to use the logdump utility.
Option 1: Deobfuscate the logs
To deobfuscate the log file you can use the update_configuration.exe (windows only and versions earlier than and including DLP 15.0) . The second option is to use the vontu_sqlite3 (Mac and Windows clients) tool to update the configuration table in the cg.ead and set Obfuscate to 0 for the Logging setting
Example steps of using deobfuscating tools
- Copy endpoint tools to client machine
- Stop the DLP Agent (use service_shutdown tool)
- Delete / Rename the old log files
- Start the DLP Agent
- Run tool to deobfuscate log (Either update_configuration or vontu_sqllite3)
- Stop the DLP Agent
- Start the DLP Agent
- Verify the edpa logs are readable
- Duplicate the issue
- Collect log files (edpa*.log) for support
Option 2: Use the logdump utility
The log dump utility can be used to read the obfuscated logs and then save them to a readable file. The main downside is that if the FINEST level logging is not set then the log files may not have the needed information to diagnose the issue.
Example steps using logdump utility:
- Copy endpoint tools to client machine
- Duplicate issue
- Run logdump utility on edpa logs.
- Collect readable log file
4.2 out Of 5 Stars
5 Stars | 0% | |
4 Stars | 67% | |
3 Stars | 33% | |
2 Stars | 0% | |
1 Stars | 0% |