If an Elastic EDR agent is offline, not ingesting logs, while it is running autonomously, then we copy the log files ( such as documents-2025-MM-0DDT024007.log) out-of-band to an offline location while the agent is offline
1- Has anyone tried decoding the locally stored EDR logs, after copying them offline?
Any insights about the format (encoding, compression..etc)
They seem to be in proprietary binary format with magic header ODUC. Snippet from the header:
2- if copy/paste the files into the same endpoint after it goes online, would it pick up and ingest the logs? the timestamps will matter, i guess, so maybe re-naming the files to a new timestamp?
The easier way to read the logs would be to create an agent/endpoint diagnostics zip which will have logs contained in them.
If you copy past them back to the endpoint after it come back online I’m not sure if the behavior would be fully predictable. It would potentially depend on if and how many events it has logged since the files were removed and what the oldest events in the files are compared to the oldest the system has logged. If you copy them and don’t delete them, when the endpoint comes back online it should pick up where it left off.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.