DLP Enforce event syslog uses default port (514), even though a custom port is configured.

book

Article ID: 170035

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

After configuring Manager.properties with an IP and Port number other than 514, a wireshark reveals that port 514 is still being used.

No error messages appear in the logs

Cause

The java file responsible for collecting and applying the setting "systemevent.syslog.port" has been misspelled. It is actually looking for a setting called "systemvent.syslog.port". ("event" is missing the "e").

Environment

After investigation, it was found that this issue may go as far back as 10.x..

 

DLP Versions 10.x.x through 14.6.x may require this work around.

Resolution

This will be fixed in an upcoming release.

 

The work around is to change the setting name from ""systemevent.syslog.port" to "systemvent.syslog.port" in the manager.properties file.

 

Example of what it should look like after the change:

 

systemevent.syslog.host = 192.168.1.100
systemvent.syslog.port = 1000

# {0.EN_US} = server name
# {1.EN_US} = event summary
# {2.EN_US} = event description
systemevent.syslog.format = [{0.EN_US}] {1.EN_US} - {2.EN_US}