Symantec Data Loss Prevention (DLP) Event Collector does not map properly events from DLP 11.6.x
Article ID: 157807
Updated On:
Products
Security Information Manager
Issue/Introduction
You have followed all the required steps from DLP Event Collector Quick Reference
You enable the sensor and you observe that parsing of events is not correct
N/A
Cause
DLP 11.6 Version appears to have changed the "Signature" sent by the SYSLOG response rule - this is causing the Symantec Security Information Manager (SSIM) Collector to fail to properly handle DLP SysLog data.
The syslog data is still successfully getting from the Enforce server to the SSIM collector, however the format of the RAW data seems to have changed slightly so the SSIM was only storing the RAW data and not able to perform any mapping of the incident data to the SSIM database.
Prior to 11.6, the RAW data sent to the SSIM appended this "Vontu Incident: " string to the beginning of the data.
As per SSIM documentation, the SSIM collector is supposed to look for this string to know where to begin parsing the different incident data fields:
Example:
Sep 18 14:19:52 56.207.52.30 Sep 18 14:20:14 ServerName Vontu Incident: BLOCKED|Blocked|INCIDENT_ID|1312631....
After upgrade to 11.6, it looks like the "Vontu Incident: " string is no longer being added,
The string goes right from the time/date stamp and server name right into the incident data:
Example:
Sep 18 14:16:13 56.207.52.30 Sep 18 14:16:35 ServerName BLOCKED|Action Blocked|INCIDENT_ID|1312589....
Existing documentation for SSIM (Symantec Security Information Manager) - Symantec Event Collector (p. 23) does inform that DLP should be sending the SysLog data with the following "signature":
----
The default Syslog Director settings for this collector are as follows:
Collector name Symantec DLP Event Collector
Collector signature Vontu Incident:
Default port 10559
----
The default Syslog Director settings for this collector are as follows:
Collector name Symantec DLP Event Collector
Collector signature Vontu Incident:
Default port 10559
This has been escalated to the engineering team and DLP Event Collector Quick Reference Guie needs to be updated.
Resolution
Current workaround is to add the "Vontu Incident: " string to the beginning of the message in the Syslog response rule on DLP, e.g.,
Vontu Incident: BLOCKED|$BLOCKED$|INCIDENT_ID|$INCIDENT_ID$|RECIPIENTS|$RECIPIENTS$....
Applies To
DLP 11.6.x
Attachments
Feedback
Yes
No
Powered by
