Endpoint Agent Trouble Shooting

Summary

This article provides some tips on how to troubleshoot the Endpoint agent.

======================================================
Below is a list of items to customer should provide Symantec Technical Support team when troubleshooting the Endpoint Agent.

 
1. Windows event logs, both system and application
2. edap_ext0.log
3. ks.ead
4. sto.ead
5. If possible a procmon capture when the agent loads and locks up the machine
6. If possible a memdump capture of the edpa service.

2-4 will be in the agent directory
5-6 are both sysinternals tools and can be found, along with syntax here: https://technet.microsoft.com/en-us/sysinternals/bb842062.aspx

 

======================================================
 

Problem Summary

Having issues with Endpoint Agent and you need to change log levels locally

Solution

Using Agent tools, you can set log levels, stop services, etc.

1. Copy the following tools to the Endpoint install directory:

- service_shutdown.exe
- vontu_sqlite3.exe

2. Run SQLite commands to change log levels to FINEST

cd C:\Program Files\Manufacturer\Endpoint Agent\
vontu_sqlite3.exe -db=cg.ead -p=<TOOLS_PASSWORD or default VontuStop>
To set Default Log Levelts to FINEST:
update configuration set value = 'FINEST' where setting = 'DefaultLevel';
To make the decrypt the EDPA logs:
update configuration set value = '0' where setting = 'Obfuscate';
To check your work:
select * from configuration where name like '%Log%';

3. Restart services for the change to take effect

service_shutdown.exe -p=<TOOLS_PASSWORD or default VontuStop>
sc start edpa && sc start wdp
 

==================================================

 

Copy all troubleshooting tools to Endpoint Agent directory

The tools used in this write up are listed below:
logdump.exe
service_shutdown.exe
vontu_sqlite3.exe

Restarting Endpoint Services Locally

1. Stop services run:

cd C:\Program Files\Manufacturer\Endpoint Agent
service_shutdown.exe -p=TOOLS_PASSWORD

2. Start services run:

sc start edpa && sc start wdp

Basic SQLite

1. open SQLite run:

Command prompt in Administrator mode
vontu_sqlite3.exe -db=cg.ead -p=TOOLS_PASSWORD

2. Check Endpoint agent configurations in SQLite run:

.header on
.mode list
.separator |
.output NAME_OF_FILE.txt
select * from Configuration;

3. Set log levels to FINEST run:

update configuration set value = FINEST where setting = DefaultLevel;

DLP 15.1.0:
Update CONFIGURATION set VALUE=0 where NAME="Logging" and SETTING="Obfuscate";  

Pull EDPA decrypted logs locally

1. Located EDPA_EXT0.log in Endpoint install directory and run:

cd C:\Program Files\Manufacturer\Endpoint Agent
logdump.exe -log=edpa_ext0.log -p=TOOLS_PASSWORD > NAME_OF_FILE.txt

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.