How to forward DLP logs with rsyslog to an SIEM server.
Note, this article is only an example of how parsing of the logs can be configured using the rsyslog tool. It is general guidance that can be used as a starting point in implementing such, or similar solution. However configuring third party tools or applications such as rsyslog itself is not supported and any further guidance will need to be pursued with the vendor appropriate to the tool/application.
SIEM server: Using Nagios LogServer for this example.
Detection server
rsyslogd setup to forward logs to SIEM
Copy the path to the DLP logs directory for filereader, boxmonitor, or any log file you want to parse.
cd /etc/rsyslog.d/
vi logfilename.conf
Below is an example of the rsyslog forwarding rule.
$ModLoad imfile
$InputFilePollInterval 10
$PrivDropToGroup adm
$WorkDirectory /var/lib/rsyslog
# Input for Detection_FileReader
$InputFileName /var/log/Symantec/DataLossPrevention/DetectionServer/1<version>/debug/FileReader0.log
$InputFileTag Detection_FileReader:
$InputFileStateFile <filename> # Must be unique for each file being polled
# Uncomment the following line to override the default severity for messages
# from this file.
$InputFileSeverity info
$InputFilePersistStateInterval 20000
$InputRunFileMonitor
# Forward to Nagios Log Server and then discard, otherwise these messages
# will end up in the syslog file (/var/log/messages) unless there are other
# overriding rules.
if $programname == 'Detection_FileReader' then @@<IP:PORT>
if $programname == 'Detection_FileReader' then ~
#######################EOF##########
You will need to update the $InputFileTag, $InputFileStateFile, $InputFileName to match your needs. A new config file will have to be created for each log file you will want to parse to SIEM. There is a separate config file for filereader, boxmonitor, aggregator, and edmmatcher logs.
You can then look in the SIEM console you can see the INFO logs from FileReader.