Offline Decoding of EDR logs

Hello,

If an Elastic EDR agent is offline, not ingesting logs, while it is running autonomously, then we copy the log files ( such as documents-2025-MM-0DDT024007.log) out-of-band to an offline location while the agent is offline

1- Has anyone tried decoding the locally stored EDR logs, after copying them offline?
Any insights about the format (encoding, compression..etc)
They seem to be in proprietary binary format with magic header ODUC. Snippet from the header:

00000000 4f 44 55 43 00 02 00 00 00 00 00 00 00 00 00 00 |ODUC............|
00000010 02 5e 15 b5 56 b9 c6 f6 14 6c c9 e8 21 94 c4 fc |.^..V....l..!...|
00000020 39 df 75 67 f2 29 fe 45 ec 63 35 3c 6e aa 57 bb |9.ug.).E.c5<n.W.|

2- if copy/paste the files into the same endpoint after it goes online, would it pick up and ingest the logs? the timestamps will matter, i guess, so maybe re-naming the files to a new timestamp?

The easier way to read the logs would be to create an agent/endpoint diagnostics zip which will have logs contained in them.

If you copy past them back to the endpoint after it come back online I’m not sure if the behavior would be fully predictable. It would potentially depend on if and how many events it has logged since the files were removed and what the oldest events in the files are compared to the oldest the system has logged. If you copy them and don’t delete them, when the endpoint comes back online it should pick up where it left off.

thanks, btw the diagnostics package doesn’t include the Documents in question, it includes system related telemetry.