How to configure Symantec Data Loss Prevention (DLP) to send messages and alerts to Syslog.
This solution allows to send System Events to a Syslog server. The list of the events is limited. All the available System Events for DLP 16.0 can be found below:
System event codes and messages (broadcom.com)
If an event is not listed it will be not be forwarded to the Syslog server.
DLP 15.8 and later
DLP supports two methods for generating Syslog events: "Syslog Response Rule" notifications and "Syslog Server Alerts".
1. Creating a Syslog Response Rule
Go to the Enforce console >> Manage >> Policies >> Response Rules >> Add Response Rule >> From the action drop down select "Log to a Syslog Server"
Fill in the Host, Port, Message, Protocol(UDP or TCP) and Level as appropriate. You can also add variables to the Message field by selecting them from the Insert Variable list on the right. The variables will populate with values based on the specific incident. Once assigned to a Policy, the Response Rule will generate a syslog event when triggered.
NOTE: The creation of a "Syslog Response Rule" does not require the additional method described for "Syslog Server Alerts" - they are separate functions.
2. Create Syslog Server Alerts
Syslog functionality is an on or off option. If syslog is turned on, all Severe events are sent to the syslog server. To enable sending server events to syslog:
a. Go to the \Program Files\Symantec\DataLossPrevention\EnforceServer\15.8.00000\Protect\config directory on Windows or the /opt/Symantec/DataLossPrevention/EnforceServer/15.8.00000/Protect/config directory on Linux.
b. Open the Manager.properties file.
c. Uncomment the #systemevent.syslog.protocol = line by removing the # symbol from the beginning of the line, and enter [ udp | tcp | tls ] to secure communications sent from the Enforce Server to the syslog server.
d. Uncomment the #systemevent.syslog.host= line by removing the # symbol from the beginning of the line, and enter the hostname or IP address of the syslog server.
e. Uncomment the #systemevent.syslog.port= line by removing the # symbol from the beginning of the line. Enter the port number that should accept connections from the Enforce Server server. The default is 514.
Note: If you are using TCP or TLS communication, ensure that the port you enter correctly corresponds to the port that is configured on the syslog server.
f. Uncomment the #systemevent.syslog.format= [{0}] {1} - {2} line by removing the # symbol from the beginning of the line. Then define the system event message format to be sent to the syslog server:
If the line is uncommented without any changes, the notification messages are sent in the format: [server name] summary - details. The format variables are:
{0} - the name of the server on which the event occurred
{1} - the event summary
{2} - the event detail
For example, the following configuration specifies that Severe system event notifications are sent to a syslog host named server1 which uses port 600.
systemevent.syslog.protocol = TCP
systemevent.syslog.host=server1
systemevent.syslog.port=600
systemevent.syslog.format= [{0}] {1} - {2}
Using this example, a low disk space event notification from an Enforce Server on a host named server1 would look like:
server1 Low disk space - Hard disk space for
incident data storage server is low. Disk usage is over 82%.
You can set the log level to include INFO, WARNING and/or SEVERE by changing systemevent.syslog.level property, by default the value should be 3, but you can change it as per your requirement.
For reference:
Log level 3 = logs SEVERE messages only (this is default)
Log level 4 = Logs SEVERE and WARNING
Log level 5 = logs INFO, WARNING, SEVERE
Restart Symantec DLP services for the change to take effect, refer for Windows and Linux.