Palo Alto Networks Knowledgebase: How to collect Traps Agent support files (logs) from the Endpoint

How to collect Traps Agent support files (logs) from the Endpoint

6871
Created On 09/25/18 18:19 PM - Last Updated 12/16/19 18:54 PM
Advanced Endpoint Protection Cortex XDR Traps
Symptom
When opening a Traps support case, please provide the relevant Traps support files (logs). There are two common ways of collecting Traps agent logs from the Endpoint.

Environment
Traps Version 3.3.1.7983

Resolution
 

Send Support File from Agent Console

  1. Connect to the Endpoint (EP).
  2. Open the Agent Console
Open Agent Console.jpg
  1. Click Send Support File.
Send_support_file.jpg

Send_support_sending.jpg
  1. Connect to the Endpoint Security Manager (ESM) Console.
  2. Follow next flow: Monitor > Data Retrieval. Here you can find the Endpoint Computer Logs that were uploaded.
Log_in_esm.jpg
  1. Click on Download and Save. Please do not rename the Logs File Name.
Download.jpg
  1. Open the folder and upload the Logs Zipped file to the case.
Example of the files in the Zip file: 
 
files in the Log Zip file.jpg
  1. Collect Send Support File on the Endpoint when no connection to server or Upload State Failed.
    1. When the Traps Agent does not have a connection to the ESM server
Agent_no_connection_to_server.jpg
 
  1. Or there is a connection indication on the Traps agent console but 'Upload State Failed' can be seen on the ESM Console at: Monitor > Data Retrieval.
 
Agent_connected.jpg
 
While
 
Uploadstart_failed.jpg
  1. The logs can be found on the EndPoint at C:\ProgramData\Cyvera\Everyone\Temp
    1. Windows Vista and above.
Logs_found_on_EP.jpg
  1. For windows XP at C:\Documents and Settings\All Users\Application Data\Cyvera\Everyone\Temp.
Windows_XP.jpg

 

Collect Endpoint Support Files with GetLogsUtil

Limitation: when Sprot is enabled on the Endpoint the Logs file created by the GetLogsUtil will not include ClientPolicy.XML that should be included in cases related to Events, Rules, Policy and compatibility related issues.

ClientPolicy.XML can be found at:

Windows Vista and above in C:\ProgramData\Cyvera\LocalSystem

Windows XP at C:\Documents and Settings\All Users\Application Data\Cyvera\LocalSystem
 

  1. Download the file attached at the end of this article to the Endpoint.

     attached at end.jpg

  2. Extract the file GetLogs_3.3.1.8791.zip
  3. Next is the result of extracting it from the downloads folder to C:\Users\Win7_86\GetLogs_3.3.1.8791 folder2016_GetLogs_deployed.jpg
  4. Run CMD as Administrator. 
    CMD_runas_admin.jpg

     

  5. Go to the path you have deployed GetLogsUtilAgent into by "cd Path"
    Example : cd C:\Users\Win7_86\GetLogs_3.3.1.8791

     

  6. Then run next command in CMD : "GetLogsUtilAgent.exe"
    The result will be a Zipped Logs file where GetLogsUtilAgent is deployed
 
Logs_were_created.jpg

The user can choose the destination of the logs with the next command: "GetLogsUtilAgent.exe destination".
  1. Please upload the Logs Zipped file that was created to the Case.
Example of what the Logs Zipped file includes:
Logs Zipped Files.jpg

When the GetLogsUtil is deployed on a network folder it can be used from the different Endpoints that have access.


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClPSCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language