Symantec Data Loss Prevention (DLP) Event Collector does not map properly events from DLP 11.6.x

book

Article ID: 157807

calendar_today

Updated On:

Products

Security Information Manager

Issue/Introduction

You have followed all the required steps from DLP Event Collector Quick Reference

You enable the sensor and you observe that parsing of events is not correct

N/A

Cause

 

DLP 11.6 Version appears to have changed the "Signature" sent by the SYSLOG response rule - this is causing the Symantec Security Information Manager (SSIM) Collector to fail to properly handle DLP SysLog data.
 
The syslog data is still successfully getting from the Enforce server to the SSIM collector, however the format of the RAW data seems to have changed slightly so the SSIM was only storing the RAW data and not able to perform any mapping of the incident data to the SSIM database.
 
Prior to 11.6, the RAW data sent to the SSIM appended this "Vontu Incident: " string to the beginning of the data. 
 
As per SSIM documentation, the SSIM collector is supposed to look for this string to know where to begin parsing the different incident data fields:
 
Example:
 
Sep 18 14:19:52 56.207.52.30 Sep 18 14:20:14  ServerName Vontu Incident: BLOCKED|Blocked|INCIDENT_ID|1312631....
 
After upgrade to 11.6, it looks like the "Vontu Incident: " string is no longer being added,
 
The string goes right from the time/date stamp and server name right into the incident data:
 
Example:
 
Sep 18 14:16:13 56.207.52.30 Sep 18 14:16:35  ServerName BLOCKED|Action Blocked|INCIDENT_ID|1312589....
Existing documentation for SSIM (Symantec Security Information Manager) - Symantec Event Collector (p. 23) does inform that DLP should be sending the SysLog data with the following "signature":
----
 The default Syslog Director settings for this collector are as follows:
  Collector name    Symantec DLP Event Collector
  Collector signature   Vontu Incident:
  Default port    10559
This has been escalated to the engineering team and DLP Event Collector Quick Reference Guie needs to be updated. 
 

 

Resolution

Current workaround is to add the "Vontu Incident: " string to the beginning of the message in the Syslog response rule on DLP, e.g.,


Vontu Incident: BLOCKED|$BLOCKED$|INCIDENT_ID|$INCIDENT_ID$|RECIPIENTS|$RECIPIENTS$....



Applies To

DLP 11.6.x

Attachments