There are multiple methods of increasing the logging level on the clients. Use the one that best fits your needs.
Method 1: Enabling finest level logging through the console
- Browse to the Agent Overview. System > Agents > Overview. Click the number under the green checkbox to view the ok clients.
- Check the checkbox next to the agent you want to increase the logging level for.
- Click the Troubleshooting dropdown and select “Set Log Level”
- On the Log Level drop-down select “FINEST”. Leave the all agent logger components checked then click OK.
A Task Running icon (clipboard with a play button) will appear next to the agent. If the agent does not communicate with the server in the configured timeout window then the task will timeout and the logging level will not be increased. If that is the case then check the client communication or enable logging through a script or locally to the machine (as shown in the options below)
Method 2: Enable FINEST level logging using update configuration.exe (only available on DLP 15.0 and below)
This method is used if the agents are not communicating to the DLP Endpoint server.
Locate the agent install files .zip, that was used when generating the agent install package. (This .zip can also be obtained through https://mybroadcom.com) Extract and copy the tools folder appropriate for the client architecture to the client machine in the DLP Endpoint Agent folder. We specifically need the update_configuration.exe.
Once the tools are in the DLP Agent folder run the following commands:
update_configuration.exe -name=LoggerStatus -setting=IsDefaultLogLevelChanged -type=str -value=1
update_configuration.exe -name=LogLevel -setting=DefaultLevel -type=str -value=FINEST
update_configuration.exe -name=Logging -setting=MaxFileSizeBytes -type=int -value=10240000
update_configuration.exe -name=Logging -setting=MaxFiles -type=int -value=10
Now run the following commands to stop the service, remove the old log files then restart the service:
del edpa*.log
sc start edpa
The edpa*.log files will now be readable on the client side with increased logging level set to FINEST and increased number of files and log file size.
Method 3: Enable FINEST level using the Vontu_sqlite3 tool local to the client
This is the only local option for OSX Mac clients to increase the logging level because there is no update_configuration.exe equivalent tool for mac.
This method is used if the agents are not communicating to the DLP Endpoint server. The additional commands in this method also increase the size and number of log files in case the logs are too small for the increased logging level.
Locate the agent install files .zip, that was used when generating the agent install package. Extract and copy the tools folder appropriate for the client architecture to the client machine in the DLP Endpoint Agent folder. We specifically need the vontu_sqlite3 and service_shutdown tools.
For Reference the default agent locations are:
Mac OSX: /Library/Manufacturer/Endpoint\ Agent/
Windows: c:\Program Files\Manufacturer\Endpoint Agent\
Once the tools are in the DLP Agent folder run the following commands:
vontu_sqlite3 -db=cg.ead
Apply the tools password as needed. Then use the following commands in the vontu_sqllite3 tool to update the configuration (Note these are case sensitive):
Update CONFIGURATION set VALUE=”1″ where NAME=”LoggerStatus” and SETTING=”IsDefaultLogLevelChanged”;
Update CONFIGURATION set VALUE=”FINEST” where NAME=”LogLevel” and SETTING=”DefaultLevel”;
REPLACE INTO configuration VALUES(‘Logging’,’MaxFileSizeBytes’,’long’,’10240000′);
REPLACE INTO configuration VALUES(‘Logging’,’MaxFiles’,’int’,’10’);
.exit
Now run the following commands to stop the service, remove the old log files then restart the service:
Windows:
del edpa*.log
sc start edpa
Mac OSX:
sudo rm edpa*.log
sudo launchctl load /Library/LaunchDaemons/com.symantec.manufacturer.agent.plist
The edpa*.log files will now be readable on the client side with increased logging level set to FINEST and increased number of files and log file size.
Method 4: Enable FINEST level using the Vontu_sqlite3 via script
This method can be used to enable logging on many machines remotely via script similar to the functionality of update_configuration.exe by calling the Vontu_sqlite3.exe with the appropriate arguements and then echoing in the sql command. Note that this will expose the tools password in the script used. This method is valid in all current versions of DLP.
The following is an example windows script that can be used as a template:
REM Sets FINEST level logging with increased max files and max size and deobfuscates log
cd “program files\Manufacturer\Endpoint Agent\
Rem Copy version specific agent tools from the network
copy \\server\share\AgentTools15_0_MP1\vontu_sqlite3.exe
copy \\server\share\AgentTools15_0_MP1\service_shutdown.exe
copy /y \\server\share\AgentTools15_0_MP1\*.dll
echo Update CONFIGURATION set VALUE=0 where NAME=”Logging” and SETTING=”Obfuscate”; | vontu_sqlite3.exe -db=cg.ead -p=protect4
echo Update CONFIGURATION set VALUE=”1″ where NAME=”LoggerStatus” and SETTING=”IsDefaultLogLevelChanged”; | vontu_sqlite3.exe -db=cg.ead -p=protect4
echo Update CONFIGURATION set VALUE=”FINEST” where NAME=”LogLevel” and SETTING=”DefaultLevel”; | vontu_sqlite3.exe -db=cg.ead -p=protect4
echo Update CONFIGURATION set VALUE=”10240000″ where NAME=”Logging” and SETTING=”MaxFileSizeBytes”; | vontu_sqlite3.exe -db=cg.ead -p=protect4
echo Update CONFIGURATION set VALUE=”10″ where NAME=”Logging” and SETTING=”MaxFiles”; | vontu_sqlite3.exe -db=cg.ead -p=protect4
echo INSERT INTO configuration VALUES(‘Logging’,’MaxFileSizeBytes’,’long’,’10240000′); | vontu_sqlite3.exe -db=cg.ead -p=protect4
echo INSERT INTO configuration VALUES(‘Logging’,’MaxFiles’,’long’,’10’); | vontu_sqlite3.exe -db=cg.ead -p=protect4
service_shutdown -p=protect4
net start edpa