search cancel

Generating Syslog messages from Data Loss Prevention


Article ID: 159509


Updated On:


Data Loss Prevention Enforce


How to configure Symantec Data Loss Prevention (DLP) to send messages and alerts to Syslog.


DLP supports two methods for generating Syslog events: "Syslog Response Rule" notifications and "Syslog Server Alerts".

  1. Creating a Syslog Response Rule

    • When creating an Automated Response Rule, select ‘Log to a Syslog Server‘ as the action. Fill in the Host, Port, Message, Protocol(UDP or TCP) and Level as appropriate. You can also add variables to the Message field by selecting them from the Insert Variable list on the right. The variables will populate with values based on the specific incident. Once assigned to a Policy, the Response Rule will generate a syslog event when triggered.
      • The creation of a "Syslog Response Rule" does not require the additional method described for "Syslog Server Alerts" - they are separate functions.
  2. Create Syslog Server Alerts

The System Maintenance Guide outlines how to setup Syslog events.


To enable syslog functionality

  1. Navigate to the installed directory, for example <drive>:\SymantecDLP\Protect\config directory on Windows or the /opt/SymantecDLP/Protect/config directory on Linux.
  2. Open the file.
  3. Uncomment the line by removing the # symbol from the beginning of the line and enter the hostname or IP address of the syslog server.
  4. Uncomment the #systemevent.syslog.port= line by removing the # symbol from the beginning of the line and enter the port number that should accept connections from the Enforce server. The default port is 514. This is for UDP.
  5. Uncomment the #systemevent.syslog.format= [{0}] {1} - {2} line by removing the # symbol from the beginning of the line and define the system event message format.

The optional parameters are as follows:

  {0} - name of the server on which the event occurred
  {1} - event summary
  {2} - event detail

For example, in the following configuration:
systemevent.syslog.format= [{0}] {1} - {2}

System event notifications would be written to a server named using port 600 and the notification messages will be in the following format:

[server name] summary – details

If galapagos was used to host an Enforce server, an event notification indicating low disk space on galapagos might look like this:

[Enforce server] Low disk space - Hard disk space for incident
data storage server is low. Disk usage is over 82%.


You can set the log level to include INFO, WARNING and/or SEVERE.

For reference:

  • Log level 3 = logs SEVERE messages only (this is default)
  • Log level 4 = Logs SEVERE and WARNING
  • Log level 5 = logs INFO, WARNING, SEVERE

Steps to implement:

  1. Install/Upgrade to DLP 15.0 on your system.
  2. Open as indicated above.
  3. Find the following line:  systemevent.syslog.level = x​
  4. Change the value of x to either 3, 4, or 5 (the default value is 3)
  5. Restart services for changes to take effect in Windows or Linux.


In Symantec Data Loss Prevention version 15.8 and above you have the ability to specify the protocol to use with syslog.

Find the systemevent.syslog.protocol and set the parameter value to either TCP or UDP. 

systemevent.syslog.protocol = tcp


systemevent.syslog.protocol = udp

Restart Symantec DLP services for the change to take effect.