How to parse DLP logs to a SIEM environment
search cancel

How to parse DLP logs to a SIEM environment

book

Article ID: 244869

calendar_today

Updated On:

Products

Data Loss Prevention

Issue/Introduction

How to forward DLP logs with rsyslog to an SIEM server. 

 

Environment

SIEM server: Using Nagios LogServer for this example. 

Detection server

rsyslogd setup to forward logs to SIEM

Resolution

Copy the path to the DLP logs directory for filereader, boxmonitor, or any log file you want to parse. 

cd /etc/rsyslog.d/

vi logfilename.conf

Below is an example of the rsyslog forwarding rule.

$ModLoad imfile
$InputFilePollInterval 10
$PrivDropToGroup adm
$WorkDirectory /var/lib/rsyslog

# Input for Detection_FileReader
$InputFileName /var/log/Symantec/DataLossPrevention/DetectionServer/15.8.00000/debug/FileReader0.log
$InputFileTag Detection_FileReader:
$InputFileStateFile nls-state-var_log_Symantec_DataLossPrevention_DetectionServer_15.8.00000_debug_FileReader0.log # Must be unique for each file being polled
# Uncomment the following line to override the default severity for messages
# from this file.
$InputFileSeverity info
$InputFilePersistStateInterval 20000
$InputRunFileMonitor

# Forward to Nagios Log Server and then discard, otherwise these messages
# will end up in the syslog file (/var/log/messages) unless there are other
# overriding rules.
if $programname == 'Detection_FileReader' then @@192.168.1.39:5544
if $programname == 'Detection_FileReader' then ~

#######################EOF##########

You will need to update the $InputFileTag, $InputFileStateFile, $InputFileName to match your needs. A new config file will have to be created for each log file you will want to parse to SIEM. There is a separate config file for filereader, boxmonitor, aggregator, and edmmatcher logs. 

Looking at the SIEM console you can see the INFO logs from FileReader:

Attachments