Procedure to move /pcap or drop folders to different drive from c:

book

Article ID: 159777

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention Network Monitor Data Loss Prevention Network Prevent for Email Data Loss Prevention Enforce Data Loss Prevention Network Discover Data Loss Prevention Network Prevent for Web Data Loss Prevention Endpoint Discover

Issue/Introduction

You want to relocate any of the spool or drop folders on a DLP Detection or Enforce server to an alternate location.

Resolution

There are multiple places that changes need to be made depending on the situation, goal, and version of DLP:

If you are attempting to change the pooling location for packet capture on a Network Monitor server:

On Version 7: Change com.vontu.packetcapture.dir in Protect.properties on the Detection Server itself

On version 8 and later: Change the source folder override section on the configure server screen of a network monitor:

The source folder is the directory the server uses to buffer network streams before it processes them. The recommended setting is to leave the Source Folder Override field blank to accept the default. If you want to specify a custom buffer directory, type the full path to the directory.

If you wish to change the location of the rest of the drop folders that normally reside on the root of the C: drive

You must edit the Protect.properties file on the Detection Server.  For instance, if you want to use d:\Apps as your drop root, configure the paths as follows:

# Endpoint aggregator drop folder
com.vontu.aggregatorinductor.dir = d:/Apps/drop_ep

# Endpoint two-tier detection drop folder
com.vontu.ttdinductor.dir = d:/Apps/drop_ttd

# Endpoint log files drop folder
com.vontu.endpoint.log.dir = d:/Apps/drop_epl

# ICAP request processor spool folder
com.vontu.icap.spool.dir = d:/Apps/icap_spool

# PacketCapture drop folder
com.vontu.packetcapture.dir = d:/Apps/drop_pcap

# PacketCapture spool folder
com.vontu.packetcapture.spool.dir = d:/Apps/packet_spool

# Classification spool folder
com.vontu.classification.spool.dir = d:/Apps/classification_spool

# SMTP copy rule drop folder
com.vontu.copyrule.dir = d:/Apps/drop

You will need to manually create the folders on the Detection Server for this to work.  Any folder used above will need full permissions to the Protect user for normal processing.

Then recycle the server.

 

Note:  The Spool packet directory and drop directories need to be on the same partition on Linux.

 

For Linux the default locations are the following:

# Endpoint aggregator drop folder
com.vontu.aggregatorinductor.dir = /var/Vontu/drop_ep

# Endpoint two-tier detection drop folder
com.vontu.ttdinductor.dir = /var/Vontu/drop_ttd

# Endpoint log files drop folder
com.vontu.endpoint.log.dir = /var/Vontu/drop_epl

# ICAP request processor spool folder
com.vontu.icap.spool.dir = /var/Vontu/icap_spool

# PacketCapture drop folder
com.vontu.packetcapture.dir = /var/Vontu/drop_pcap

# PacketCapture spool folder
com.vontu.packetcapture.spool.dir = /var/Vontu/packet_spool

# Classification spool folder
com.vontu.classification.spool.dir = /var/Vontu/classification_spool

# SMTP copy rule drop folder
com.vontu.copyrule.dir = /var/Vontu/drop 

Note: For Symantec DLP version 11.6 and higher, the Vontu directory is instead called SymantecDLP.