Search for answers or browse our knowledge base.
Generating Syslog messages from Symantec Data Loss Prevention
DLP supports two methods for generating Syslog events: “Syslog Response Rule” notifications and “Syslog Server Alerts”.
- Creating a Syslog Response Rule
- When creating an Automated Response Rule, select ‘Log to a Syslog Server‘ as the action. Fill in the Host, Port, Message, and Level as appropriate. Once assigned to a Policy, the Response Rule will generate a syslog event when triggered.
- The creation of a “Syslog Response Rule” does not require the additional method described for “Syslog Server Alerts” – they are separate functions.
- When creating an Automated Response Rule, select ‘Log to a Syslog Server‘ as the action. Fill in the Host, Port, Message, and Level as appropriate. Once assigned to a Policy, the Response Rule will generate a syslog event when triggered.
- Create Syslog Server Alerts
The System Maintenance Guide outlines how to setup Syslog events.
To enable syslog functionality
- Navigate to the installed directory, for example
<drive>:SymantecDLPProtectconfig
directory on Windows or the/opt/SymantecDLP/Protect/config
directory on Linux. - Open the
Manager.properties
file. - Uncomment the
#systemevent.syslog.host=
line by removing the#
symbol from the beginning of the line and enter the hostname or IP address of the syslog server. - Uncomment the
#systemevent.syslog.port=
line by removing the#
symbol from the beginning of the line and enter the port number that should accept connections from the Vontu Enforce server. The default is514
. This is UDP. - Uncomment the
#systemevent.syslog.format= [{0.EN_US}] {1.EN_US} - {2.EN_US}
line by removing the#
symbol from the beginning of the line and define the system event message format.
The optional parameters are as follows:
{0.EN_US} – name of the server on which the event occurred
{1.EN_US} – event summary
{2.EN_US} – event detail
For example, in the following configuration:
systemevent.syslog.host=galapagos.company.com
systemevent.syslog.port=600
systemevent.syslog.format= [{0.EN_US}] {1.EN_US} – {2.EN_US}
System event notifications would be written to a server named galapagos.company.com
using port 600 and the notification messages will be in the following format:
[server name] summary – details
If galapagos was used to host an Enforce server, an event notification indicating low disk space on galapagos might look like this:
[Enforce server] Low disk space – Hard disk space for incident
data storage server is low. Disk usage is over 82%.
DLP 15.0 and later
You have the ability to set the log level to include INFO and WARNING along with SEVERE.
For reference:
- Log level 3 = logs SEVERE messages only (this is default)
- Log level 4 = Logs SEVERE and WARNING
- Log level 5 = logs INFO, WARNING, SEVERE
Steps to implement:
- Install/Upgrade to DLP 15.0 on your system.
- Open manager.properties as indicated above.
- Find the following line:
systemevent.syslog.level = x
- Change the value of x to either 3, 4, or 5 (the default value is 3)
- Restart services for changes to take effect in Windows or Linux.