You want to enable finer logging for DLP services on the Enforce, Detection Servers, and Endpoint Agents
Article ID: 161886
Updated On:
Products
Data Loss Prevention
Data Loss Prevention Enforce
Data Loss Prevention Endpoint Prevent
Data Loss Prevention Endpoint Suite
Data Loss Prevention Enterprise Suite
Data Loss Prevention Network Email
Data Loss Prevention Network Monitor
Data Loss Prevention Network Monitor and Prevent for Email
Data Loss Prevention Network Monitor and Prevent for Email and Web
Data Loss Prevention Network Monitor and Prevent for Web
Data Loss Prevention Network Prevent for Email
Data Loss Prevention Network Prevent for Email Virtual Appliance
Issue/Introduction
You are aware of the logs that DLP uses, as per this Help Center topic: Operational log files (broadcom.com)
But you are looking for more details on how to increase loglevels.
Cause
Fine or higher level logging may help to reveal issues with services, performance, or automated responses.
Resolution
As noted in the main topic, Operational log files (broadcom.com), the primary directories for logs are here:
- Linux: /var/log/Symantec/DataLossPrevention/
- Windows: \ProgramData\Symantec\DataLossPrevention\EnforceServer\<version>\logs
Locations of the properties files, where most loglevels are changed, is here:
- Linux: /opt/Symantec/DataLossPrevention/EnforceServer/<version>/Protect/config/
- Windows: \Program Files\Symantec\DataLossPrevention\EnforceServer\<version>\Protect\config\
The following content makes use of the properties noted in the paths above.
ENFORCE SERVER
How to enable finer logging for the Enforce Server web console:
How to Toggle JDBC Logging on or off
How to enable finer logging within the attribute lookup plugin framework
To increase loglevels for Lookup plugins, the following settings need to be changed.
To modify manual lookups, as performed via Incident Snapshot, edit the ManagerLogging.properties file and change INFO levels below:
com.vontu.logging.ServletLogHandler.level = FINEST
com.vontu.enforce.workflow.attributes.CustomAttributeLookup.level = FINEST
com.vontu.lookup.level = FINEST
com.vontu.enforce.workflow.attributes.CustomAttributeLookup.level = FINEST
com.vontu.lookup.level = FINEST
To modify loglevels for automatic lookups, as performed via Response Rules, edit the IncidentPersisterLogging.properties file and change:
com.vontu.enforce.workflow.attributes.CustomAttributeLookup.level = FINEST
com.vontu.lookup.level = FINEST
com.vontu.lookup.level = FINEST
The IncidentPersister and Manager logs should contain the references to the lookup.
DETECTION SERVERS and AGENTS - specific KB content
- Network Monitor (Packet Capture, Copy Rule channels):
Loglevels to modify are in PacketCaptureLogging.properties or PacketCaptureNativeLogging.properties files. - Discover Server (Discover channel):
Set the logging levels for DLP Network Discover (broadcom.com) - Network Prevent for Email (Inline SMTP chanel):
Data Loss Prevention SMTP Prevent Diagnostic and troubleshooting (broadcom.com) - Network Prevent for Web (ICAP channel):
Web Prevent Diagnostics and Troubleshooting (broadcom.com) - Endpoint Server (Endpoint channel):
For issues involving incident shipping failures or connectivity from Agents: How to set the Aggregator logging level to FINEST (broadcom.com)
For issues involving Agent connectivity in general: Key DLP agent and Endpoint Server communications settings (broadcom.com) - Endpoint Agents:
Increase the logging level of DLP agents to FINEST (broadcom.com)
Feedback
Yes
No
Powered by
