Table of Contents:
This article covers how to configure Symantec DLP on-premises.
Configuring Symantec DLP
Take the following steps to configure your Symantec DLP:
Procedure
DLP supports two methods for generating Syslog events: "Syslog Response Rule" notifications and "Syslog Server Alerts".
- Creating a Syslog Response Rule
-
- When creating an Automated Response Rule, select ‘Log to a Syslog Server as the action. Fill in the Host, Port no: 11643 , Message, Prot[AD1] ocol (UDP or TCP) and Level as appropriate. You can also add variables to the Message field by selecting them from the Insert Variable list on the right. The variables will populate with values based on the specific incident. Once assigned to a Policy, the Response Rule will generate a syslog event when triggered.
- The creation of a "Syslog Response Rule" does not require the additional method described for "Syslog Server Alerts" - they are separate functions.
- Create Syslog Server Alerts
- The System Maintenance Guide outlines how to setup Syslog events.
To enable syslog functionality
-
- Navigate to the installed directory, for example <drive>:\SymantecDLP\Protect\config directory on Windows or the /opt/SymantecDLP/Protect/config directory on Linux.
- Open the Manager.properties file.
- Uncomment the #systemevent.syslog.host= line by removing the # symbol from the beginning of the line and enter the hostname or IP address of the syslog server.
- Uncomment the #systemevent.syslog.port= line by removing the # symbol from the beginning of the line and enter the port number that should accept connections from the Enforce server. The default port is 514. This is for UDP.
- Uncomment the #systemevent.syslog.format= [{0}] {1} - {2} line by removing the # symbol from the beginning of the line and define the system event message format.
The optional parameters are as follows:- {0} - name of the server on which the event occurred
- {1} - event summary
- {2} - event detail
For example, in the following configuration:
systemevent.syslog.host=galapagos.company.com
systemevent.syslog.port=600
systemevent.syslog.format= [{0}] {1} - {2}
- System event notifications would be written to a server named galapagos.company.com using port 600 and the notification messages will be in the following format:
- [server name] summary – details
- If galapagos was used to host an Enforce server, an event notification indicating low disk space on galapagos might look like this:
[Enforce server] Low disk space - Hard disk space for incident
data storage server is low. Disk usage is over 82%. - You can set the log level to include INFO, WARNING and/or SEVERE.
For reference:- Log level 3 = logs SEVERE messages only (this is default)
- Log level 4 = Logs SEVERE and WARNING
- Log level 5 = logs INFO, WARNING, SEVER
Steps to implement:
- Install/Upgrade to DLP 15.0 on your system.
- Open manager.properties as indicated above.
- Find the following line: systemevent.syslog.level = x
- Change the value of x to either 3, 4, or 5 (the default value is 3)
- Restart services for changes to take effect in Windows or Linux.
- In Symantec Data Loss Prevention version 15.8 and above you have the ability to specify the protocol to use with syslog.
- Find the systemevent.syslog.protocol and set the parameter value to either TCP or UDP.
- systemevent.syslog.protocol = tcp OR
- systemevent.syslog.protocol = udp
- Restart Symantec DLP services for the change to take effect.
Comments
0 comments
Please sign in to leave a comment.