DLP 11.6 Version appears to have changed the "Signature" sent by the SYSLOG response rule - this is causing the Symantec Security Information Manager (SSIM) Collector to fail to properly handle DLP SysLog data.
The syslog data is still successfully getting from the Enforce server to the SSIM collector, however the format of the RAW data seems to have changed slightly so the SSIM was only storing the RAW data and not able to perform any mapping of the incident data to the SSIM database.
Prior to 11.6, the RAW data sent to the SSIM appended this "Vontu Incident: " string to the beginning of the data.
As per SSIM documentation, the SSIM collector is supposed to look for this string to know where to begin parsing the different incident data fields:
Example:
Sep 18 14:19:52 56.207.52.30 Sep 18 14:20:14 ServerName Vontu Incident: BLOCKED|Blocked|INCIDENT_ID|1312631....
After upgrade to 11.6, it looks like the "Vontu Incident: " string is no longer being added,
The string goes right from the time/date stamp and server name right into the incident data:
Example:
Sep 18 14:16:13 56.207.52.30 Sep 18 14:16:35 ServerName BLOCKED|Action Blocked|INCIDENT_ID|1312589....
Existing documentation for SSIM (Symantec Security Information Manager) - Symantec Event Collector (p. 23) does inform that DLP should be sending the SysLog data with the following "signature":
----
The default Syslog Director settings for this collector are as follows:
Collector name Symantec DLP Event Collector
Collector signature Vontu Incident:
Default port 10559
This has been escalated to the engineering team and DLP Event Collector Quick Reference Guie needs to be updated.