DLP Enforce event syslog uses default port (514), even though a custom port is configured.


Article ID: 170035


Updated On:


Data Loss Prevention Enforce


After configuring Manager.properties with an IP and Port number other than 514, a wireshark reveals that port 514 is still being used.

No error messages appear in the logs


The java file responsible for collecting and applying the setting "systemevent.syslog.port" has been misspelled. It is actually looking for a setting called "systemvent.syslog.port". ("event" is missing the "e").


After investigation, it was found that this issue may go as far back as 10.x..


DLP Versions 10.x.x through 14.6.x may require this work around.


This will be fixed in an upcoming release.


The work around is to change the setting name from ""systemevent.syslog.port" to "systemvent.syslog.port" in the manager.properties file.


Example of what it should look like after the change:


systemevent.syslog.host =
systemvent.syslog.port = 1000

# {0.EN_US} = server name
# {1.EN_US} = event summary
# {2.EN_US} = event description
systemevent.syslog.format = [{0.EN_US}] {1.EN_US} - {2.EN_US}