How to parse DLP logs to a SIEM environment
search cancel

How to parse DLP logs to a SIEM environment

book

Article ID: 244869

calendar_today

Updated On:

Products

Data Loss Prevention

Issue/Introduction

How to forward DLP logs with rsyslog to an SIEM server. 

 

Note, this article is only an example of how parsing of the logs can be configured using the rsyslog tool. It is general guidance that can be used as a starting point in implementing such, or similar solution. However configuring third party tools or applications such as rsyslog itself is not supported and any further guidance will need to be pursued with the vendor appropriate to the tool/application.

Environment

SIEM server: Using Nagios LogServer for this example. 

Detection server

rsyslogd setup to forward logs to SIEM

Resolution

Copy the path to the DLP logs directory for filereader, boxmonitor, or any log file you want to parse. 

cd /etc/rsyslog.d/

vi logfilename.conf

Below is an example of the rsyslog forwarding rule.

$ModLoad imfile
$InputFilePollInterval 10
$PrivDropToGroup adm
$WorkDirectory /var/lib/rsyslog

# Input for Detection_FileReader
$InputFileName /var/log/Symantec/DataLossPrevention/DetectionServer/1<version>/debug/FileReader0.log
$InputFileTag Detection_FileReader:
$InputFileStateFile <filename> # Must be unique for each file being polled
# Uncomment the following line to override the default severity for messages
# from this file.
$InputFileSeverity info
$InputFilePersistStateInterval 20000
$InputRunFileMonitor

# Forward to Nagios Log Server and then discard, otherwise these messages
# will end up in the syslog file (/var/log/messages) unless there are other
# overriding rules.
if $programname == 'Detection_FileReader' then @@<IP:PORT>
if $programname == 'Detection_FileReader' then ~

#######################EOF##########

You will need to update the $InputFileTag, $InputFileStateFile, $InputFileName to match your needs. A new config file will have to be created for each log file you will want to parse to SIEM. There is a separate config file for filereader, boxmonitor, aggregator, and edmmatcher logs. 

You can then look in the SIEM console you can see the INFO logs from FileReader.

 

Powered by Wolken Software