Generating Syslog messages from Data Loss Prevention

book

Article ID: 159509

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

How to configure Symantec Data Loss Prevention (DLP) to send messages and alerts to Syslog.

Resolution

DLP supports two methods for generating Syslog events: "Syslog Response Rule" notifications and "Syslog Server Alerts".

  1. Creating a Syslog Response Rule

    • When creating an Automated Response Rule, select ‘Log to a Syslog Server‘ as the action. Fill in the Host, Port, Message, and Level as appropriate. Once assigned to a Policy, the Response Rule will generate a syslog event when triggered.
      • The creation of a "Syslog Response Rule" does not require the additional method described for "Syslog Server Alerts" - they are separate functions.

  2. Create Syslog Server Alerts

The System Maintenance Guide outlines how to setup Syslog events.

To enable syslog functionality

  1. Navigate to the installed directory, for example <drive>:\SymantecDLP\Protect\config directory on Windows or the /opt/SymantecDLP/Protect/config directory on Linux.
  2. Open the Manager.properties file.
  3. Uncomment the #systemevent.syslog.host= line by removing the # symbol from the beginning of the line and enter the hostname or IP address of the syslog server.
  4. Uncomment the #systemevent.syslog.port= line by removing the # symbol from the beginning of the line and enter the port number that should accept connections from the Vontu Enforce server. The default is 514. This is UDP.
  5. Uncomment the #systemevent.syslog.format= [{0.EN_US}] {1.EN_US} - {2.EN_US} line by removing the # symbol from the beginning of the line and define the system event message format.

The optional parameters are as follows:

  {0.EN_US} - name of the server on which the event occurred
  {1.EN_US} - event summary
  {2.EN_US} - event detail

For example, in the following configuration:

systemevent.syslog.host=galapagos.company.com
systemevent.syslog.port=600
systemevent.syslog.format= [{0.EN_US}] {1.EN_US} - {2.EN_US}

System event notifications would be written to a server named galapagos.company.com using port 600 and the notification messages will be in the following format:

[server name] summary – details

If galapagos was used to host an Enforce server, an event notification indicating low disk space on galapagos might look like this:

[Enforce server] Low disk space - Hard disk space for incident
data storage server is low. Disk usage is over 82%.

 

DLP 15.0 and later

You have the ability to set the log level to include INFO and WARNING along with SEVERE.

For reference:

  • Log level 3 = logs SEVERE messages only (this is default)
  • Log level 4 = Logs SEVERE and WARNING
  • Log level 5 = logs INFO, WARNING, SEVERE

Steps to implement:

  1. Install/Upgrade to DLP 15.0 on your system.
  2. Open manager.properties as indicated above.
  3. Find the following line:  systemevent.syslog.level = x​
  4. Change the value of x to either 3, 4, or 5 (the default value is 3)
  5. Restart services for changes to take effect in Windows or Linux.
Powered by Wolken Software