How to configure Symantec Data Loss Prevention (DLP) to send messages and alerts to Syslog.
DLP supports two methods for generating Syslog events: "Syslog Response Rule" notifications and "Syslog Server Alerts".
Creating a Syslog Response Rule
Create Syslog Server Alerts
The System Maintenance Guide outlines how to setup Syslog events.
<drive>:\SymantecDLP\Protect\config
directory on Windows or the /opt/SymantecDLP/Protect/config
directory on Linux.Manager.properties
file.#systemevent.syslog.host=
line by removing the #
symbol from the beginning of the line and enter the hostname or IP address of the syslog server.#systemevent.syslog.port=
line by removing the #
symbol from the beginning of the line and enter the port number that should accept connections from the Enforce server. The default port is 514
. This is for UDP.#systemevent.syslog.format= [{0}] {1} - {2}
line by removing the #
symbol from the beginning of the line and define the system event message format.The optional parameters are as follows:
{0} - name of the server on which the event occurred
{1} - event summary
{2} - event detail
For example, in the following configuration:
systemevent.syslog.host=galapagos.company.com
systemevent.syslog.port=600
systemevent.syslog.format= [{0}] {1} - {2}
System event notifications would be written to a server named galapagos.company.com
using port 600 and the notification messages will be in the following format:
[server name] summary – details
If galapagos was used to host an Enforce server, an event notification indicating low disk space on galapagos might look like this:
[Enforce server] Low disk space - Hard disk space for incident
data storage server is low. Disk usage is over 82%.
You can set the log level to include INFO, WARNING and/or SEVERE.
For reference:
Steps to implement:
systemevent.syslog.level = x
In Symantec Data Loss Prevention version 15.8 and above you have the ability to specify the protocol to use with syslog.
Find the systemevent.syslog.protocol and set the parameter value to either TCP or UDP.
systemevent.syslog.protocol = tcp
or
systemevent.syslog.protocol = udp
Restart Symantec DLP services for the change to take effect.