You are wanting to utilize the Splunk add-on in conjunction with Symantec Data Loss Prevention (DLP) 12.x and later.
You need to enable syslog in Symantec DLP in order to send events to the Splunk platform through syslog. You also need to use a specific format required by the Splunk add-on for Symantec DLP.
Set up a response rule in the Symantec DLP server using the following format:
Specify each variable you would like to extract from your Symantec DLP system using the format above, separating each key/value pair with a comma or a space. A list of variables for specific types of detection can be found in the DLP Admin Guide under "Response Action Variables."
Example for Symantec DLP version 14:
incident_id="$INCIDENT_ID$", blocked="$BLOCKED$", policy="$POLICY$", recipients="$RECIPIENTS$", rules="$POLICY_RULES$", sender="$SENDER$", severity="$SEVERITY$", subject="$SUBJECT$"
Note: You need to use the variable names that correspond with the version of Symantec DLP you are using. For example, if you are using Symantec DLP 12.0 or earlier, instead of using policy="$POLICY$" you would use policy="$POLICY_NAME$".
For instructions on how to create response rules, see "Response rule actions" in the Symantec Data Loss Prevention Administration guide, . For instructions on configuring syslog, see "Enabling a syslog server."
There are two ways to capture the syslog data from Symantec DLP.
Note: For information about timestamp processing options for syslog events, see Syslog and timestamps in Splunk Add-ons.
To configure the Splunk platform to monitor the syslog file generated by the Symantec DLP server, you can use either Splunk Web to create the monitor input or configure inputs.conf directly. If you use a syslog aggregator, you can create a file monitor input to monitor the files generated by the aggregator.
Configure a file monitoring input on your data collection node for the Symantec DLP syslog file.
You can create a inputs.conf file and configure the monitor input in this file instead of using Splunk Web.
[monitor://<path>] sourcetype=symantec:dlp:syslog disabled = 0
In the Splunk platform node handling data collection, configure the TCP/UDP input to match your configurations in Symantec DLP and set your source type to symantec:dlp:syslog. The CIM mapping and dashboard panels are dependent on this source type.
For information on how to configure a Splunk forwarder or single-instance to receive a syslog input, see Get data from TCP and UDP portsin the Getting Data In manual.
After you configure the input, run this search to verify you are ingesting the data you expect.