Send to syslog action via response rule failing due to AccountLockedException
search cancel

Send to syslog action via response rule failing due to AccountLockedException

book

Article ID: 433381

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

 
Incident Persister logs in full below error.
 
 Thread: 221 [com.vontu.command.CommandRuntime.execute] Error executing command: syslog
com.vontu.command.CommandException: Unable to write to syslog: host=<SYSLOG / SIEM> , port=514
at com.vontu.incidenthandler.command.enforce.SyslogLogger.execute(SyslogLogger.java:194)
at com.vontu.command.CommandRuntime.executeCommand(CommandRuntime.java:1004)
at com.vontu.command.CommandRuntime.execute(CommandRuntime.java:908)
at com.vontu.command.CommandRuntime.executeInstruction(CommandRuntime.java:876)
at com.vontu.command.CommandRuntime.executeInstructions(CommandRuntime.java:854)
at com.vontu.command.CommandRuntime.executeCommands(CommandRuntime.java:753)
at com.vontu.command.CommandRuntime$CommandExecutor.run(CommandRuntime.java:1338)
at com.vontu.command.CommandRuntime.execute(CommandRuntime.java:699)
at com.vontu.command.CommandRuntime.execute(CommandRuntime.java:729)
at com.vontu.incidenthandler.command.IncidentCommandRuntimeExecutor.executeCommandRuntime(IncidentCommandRuntimeExecutor.java:65)
at com.vontu.incidenthandler.command.IncidentCommandStage.addMessageToQueue(IncidentCommandStage.java:113)
at com.vontu.incidenthandler.processing.IncidentProcessingTask.run(IncidentProcessingTask.java:67)
Caused by: com.symantec.dlp.enforcedomainservices.responserule.exceptions.ResponseRuleRuntimeException: com.symantec.dlp.enforcedomainservices.rbac.AccountLockedException
at com.symantec.dlp.enforcedomainservices.responserule.notifysyslog.IncidentCommandJPAHelper.getReportJobUser(IncidentCommandJPAHelper.java:88)
at com.symantec.dlp.enforcedomainservices.responserule.notifysyslog.IncidentCommandJPAHelper$$FastClassBySpringCGLIB$$55c77b20.invoke(<generated>)
at com.symantec.dlp.enforcedomainservices.responserule.notifysyslog.IncidentCommandJPAHelper$$EnhancerBySpringCGLIB$$f244ccb3.getReportJobUser(<generated>)
at com.vontu.incidenthandler.command.enforce.SyslogLogger.lambda$execute$0(SyslogLogger.java:168)
at com.vontu.incidenthandler.command.enforce.SyslogLogger.execute(SyslogLogger.java:159)
... 16 more
Caused by: com.symantec.dlp.enforcedomainservices.rbac.AccountLockedException
at com.symantec.dlp.enforcedomainservices.rbac.ReportJobAuthenticatedUser.initialize(ReportJobAuthenticatedUser.java:194)
at com.symantec.dlp.enforcedomainservices.rbac.ReportJobAuthenticatedUser$$FastClassBySpringCGLIB$$b154b9fa.invoke(<generated>)
at com.symantec.dlp.enforcedomainservices.rbac.ReportJobAuthenticatedUser$$EnhancerBySpringCGLIB$$8295a181.initialize(<generated>)
at com.symantec.dlp.enforcedomainservices.responserule.notifysyslog.IncidentCommandJPAHelper.getReportJobUser(IncidentCommandJPAHelper.java:84)
... 42 more

 

Environment

on premises enforce with response rule for Syslog.

Cause

A locked built-in DLP "Administrator" (default) account can negatively affect system functionality like, execution of response rule actions initiated by Enforce.

Resolution

To complete the account unlocking process, the Built-in DLP Administrator must successfully log into Enforce.

Following this successful login, the syslog flow will begin, and the previous error will no longer occur.

Additional Information

In case DLP build in user password is not missing, Recovery of DLP Administrator account
https://knowledge.broadcom.com/external/article/160705/recovery-of-dlp-administrator-account.html

What Happens When the Default Administrator Account is Locked Out?
https://knowledge.broadcom.com/external/article?articleNumber=160548

 

Powered by Wolken Software