ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

DLP 15.5 Network Monitor Packet Capture Fails to Start

book

Article ID: 186561

calendar_today

Updated On:

Products

Data Loss Prevention Network Monitor and Prevent for Email and Web

Issue/Introduction

You notice packet capture fails to start automatically on your DLP Network Monitor.  You try to start packet capture manually and it still fails to start.  You notice in the DLP UI message code 1008 process went down before it had fully started.

Cause

Packet capture needs to run as root.  But, your server has been hardened and doesn't permit sudo command by DLP application.  

Environment

Release: 15.5

BoxMonitor log 
 
Class: om.vontu.logging.LocalLogWriter
Method: write
Level: SEVERE
Message:  PacketCapture is down. PacketCapture process went down before it had fully started.
SymantecDLPDetectionServer log
 
Level: INFO
Source:  jvm 1   
Message:  PC> sudo: no tty present and no askpass program specified
 
Which is the usual message received when attempting to run a sudo command but don’t have permissions.

Resolution

You must edit /etc/sudoers file and add #includedir /etc/sudoers.d to the sudoers file.

Also, make sure you have the following entry in the /etc/sudoers.d, as this is automatically inserted during DLP 15.5 Network Monitor Server install,

Defaults:protect !requiretty
protect ALL= NOPASSWD: /bin/mount, /bin/umount, /usr/bin/sshfs
protect ALL= NOPASSWD: /lib64/ld-linux-x86-64.so.2 --library-path /opt/Symantec/DataLossPrevention/Detection Server/15.5/Protect/lib/native\:/opt/Symantec/DataLossPrevention/Server JRE/1.8.0_181/lib/amd64/server /opt/Symantec/DataLossPrevention/Detection Server/15.5/Protect/bin/PacketCapture *