How to configure Symantec Data Loss Prevention (DLP) to send messages and alerts to Syslog.
DLP supports two methods for generating Syslog events: "Syslog Response Rule" notifications and "Syslog Server Alerts".
Creating a Syslog Response Rule
Create Syslog Server Alerts
The System Maintenance Guide outlines how to setup Syslog events.
<drive>:\SymantecDLP\Protect\config
directory on Windows or the /opt/SymantecDLP/Protect/config
directory on Linux.Manager.properties
file.#systemevent.syslog.host=
line by removing the #
symbol from the beginning of the line and enter the hostname or IP address of the syslog server.#systemevent.syslog.port=
line by removing the #
symbol from the beginning of the line and enter the port number that should accept connections from the Vontu Enforce server. The default is 514
. This is UDP.#systemevent.syslog.format= [{0.EN_US}] {1.EN_US} - {2.EN_US}
line by removing the #
symbol from the beginning of the line and define the system event message format.The optional parameters are as follows:
{0.EN_US} - name of the server on which the event occurred
{1.EN_US} - event summary
{2.EN_US} - event detail
For example, in the following configuration:
systemevent.syslog.host=galapagos.company.com
systemevent.syslog.port=600
systemevent.syslog.format= [{0.EN_US}] {1.EN_US} - {2.EN_US}
System event notifications would be written to a server named galapagos.company.com
using port 600 and the notification messages will be in the following format:
[server name] summary – details
If galapagos was used to host an Enforce server, an event notification indicating low disk space on galapagos might look like this:
[Enforce server] Low disk space - Hard disk space for incident
data storage server is low. Disk usage is over 82%.
You have the ability to set the log level to include INFO and WARNING along with SEVERE.
For reference:
Steps to implement: