Generating Syslog messages from Data Loss Prevention
Article ID: 159509
Updated On:
Products
Issue/Introduction
How to configure Symantec Data Loss Prevention (DLP) to send messages and alerts to Syslog.
Resolution
DLP supports two methods for generating Syslog events: "Syslog Response Rule" notifications and "Syslog Server Alerts".
-
Creating a Syslog Response Rule
- When creating an Automated Response Rule, select ‘Log to a Syslog Server‘ as the action. Fill in the Host, Port, Message, Protocol(UDP or TCP) and Level as appropriate. You can also add variables to the Message field by selecting them from the Insert Variable list on the right. The variables will populate with values based on the specific incident. Once assigned to a Policy, the Response Rule will generate a syslog event when triggered.
- The creation of a "Syslog Response Rule" does not require the additional method described for "Syslog Server Alerts" - they are separate functions.
- When creating an Automated Response Rule, select ‘Log to a Syslog Server‘ as the action. Fill in the Host, Port, Message, Protocol(UDP or TCP) and Level as appropriate. You can also add variables to the Message field by selecting them from the Insert Variable list on the right. The variables will populate with values based on the specific incident. Once assigned to a Policy, the Response Rule will generate a syslog event when triggered.
-
Create Syslog Server Alerts
The System Maintenance Guide outlines how to setup Syslog events.
To enable syslog functionality
- Navigate to the installed directory, for example
<drive>:\SymantecDLP\Protect\configdirectory on Windows or the/opt/SymantecDLP/Protect/configdirectory on Linux. - Open the
Manager.propertiesfile. - Uncomment the
#systemevent.syslog.host=line by removing the#symbol from the beginning of the line and enter the hostname or IP address of the syslog server. - Uncomment the
#systemevent.syslog.port=line by removing the#symbol from the beginning of the line and enter the port number that should accept connections from the Enforce server. The default port is514. This is for UDP. - Uncomment the
#systemevent.syslog.format= [{0}] {1} - {2}line by removing the#symbol from the beginning of the line and define the system event message format.
The optional parameters are as follows:
{0} - name of the server on which the event occurred
{1} - event summary
{2} - event detail
For example, in the following configuration:
systemevent.syslog.host=galapagos.company.com
systemevent.syslog.port=600
systemevent.syslog.format= [{0}] {1} - {2}
System event notifications would be written to a server named galapagos.company.com using port 600 and the notification messages will be in the following format:
[server name] summary – details
If galapagos was used to host an Enforce server, an event notification indicating low disk space on galapagos might look like this:
[Enforce server] Low disk space - Hard disk space for incident
data storage server is low. Disk usage is over 82%.
You can set the log level to include INFO, WARNING and/or SEVERE.
For reference:
- Log level 3 = logs SEVERE messages only (this is default)
- Log level 4 = Logs SEVERE and WARNING
- Log level 5 = logs INFO, WARNING, SEVERE
Steps to implement:
- Install/Upgrade to DLP 15.0 on your system.
- Open manager.properties as indicated above.
- Find the following line:
systemevent.syslog.level = x - Change the value of x to either 3, 4, or 5 (the default value is 3)
- Restart services for changes to take effect in Windows or Linux.
In Symantec Data Loss Prevention version 15.8 and above you have the ability to specify the protocol to use with syslog.
Find the systemevent.syslog.protocol and set the parameter value to either TCP or UDP.
systemevent.syslog.protocol = tcp
or
systemevent.syslog.protocol = udp
Restart Symantec DLP services for the change to take effect.
Feedback
