You want to relocate any of the spool or drop folders on a DLP Detection or Enforce server to an alternate location.
There are multiple places that changes need to be made depending on the situation, goal, and version of DLP:
If you are attempting to change the pooling location for packet capture on a Network Monitor server:
On Version 7: Change com.vontu.packetcapture.dir in Protect.properties on the Detection Server itself
On version 8 and later: Change the source folder override section on the configure server screen of a network monitor:
The source folder is the directory the server uses to buffer network streams before it processes them. The recommended setting is to leave the Source Folder Override field blank to accept the default. If you want to specify a custom buffer directory, type the full path to the directory.
If you wish to change the location of the rest of the drop folders that normally reside on the root of the C: drive
You must edit the Protect.properties file on the Detection Server. For instance, if you want to use d:\Apps as your drop root, configure the paths as follows:
# Endpoint aggregator drop folder
com.vontu.aggregatorinductor.dir = d:/Apps/drop_ep
# Endpoint two-tier detection drop folder
com.vontu.ttdinductor.dir = d:/Apps/drop_ttd
# Endpoint log files drop folder
com.vontu.endpoint.log.dir = d:/Apps/drop_epl
# ICAP request processor spool folder
com.vontu.icap.spool.dir = d:/Apps/icap_spool
# PacketCapture drop folder
com.vontu.packetcapture.dir = d:/Apps/drop_pcap
# PacketCapture spool folder
com.vontu.packetcapture.spool.dir = d:/Apps/packet_spool
# Classification spool folder
com.vontu.classification.spool.dir = d:/Apps/classification_spool
# SMTP copy rule drop folder
com.vontu.copyrule.dir = d:/Apps/drop
You will need to manually create the folders on the Detection Server for this to work. Any folder used above will need full permissions to the Protect user for normal processing.
Then recycle the server.
Note: The Spool packet directory and drop directories need to be on the same partition on Linux.
For Linux the default locations are the following:
# Endpoint aggregator drop folder # Endpoint two-tier detection drop folder # Endpoint log files drop folder # ICAP request processor spool folder # PacketCapture drop folder # PacketCapture spool folder # Classification spool folder # SMTP copy rule drop folder Note: For Symantec DLP version 11.6 and higher, the Vontu directory is instead called SymantecDLP.
com.vontu.aggregatorinductor.dir = /var/Vontu/drop_ep
com.vontu.ttdinductor.dir = /var/Vontu/drop_ttd
com.vontu.endpoint.log.dir = /var/Vontu/drop_epl
com.vontu.icap.spool.dir = /var/Vontu/icap_spool
com.vontu.packetcapture.dir = /var/Vontu/drop_pcap
com.vontu.packetcapture.spool.dir = /var/Vontu/packet_spool
com.vontu.classification.spool.dir = /var/Vontu/classification_spool
com.vontu.copyrule.dir = /var/Vontu/drop