Auditing/Monitoring of User Activity in DLP
There could be some requirements of audit where we need to monitor the users/administrators for their activity in DLP. Since Symnatec DLP is very sensitive and highly confidential apllication and data in Symnatec DLP is precious data of the organisation. So, Symantec DLP is must for monitoring different activities around it by admin, users, security team, etc.
One way of achieving this could be - Symantec makes the events in the AUDITLOG table available in the Enforce console under System-Events. We could then develop alerts to send these events to a SSIM tool (Symantec Security Information Manager)
We can write an Stored Procedure in Oracle that triggers when there is an insert into the AUDITLOG table. That stored procedure would send the data to some SSIM tool for correlation and alerting.
Alternatively, develop a process to query the AUDITLOG table on a scheduled basis to extract the newest records. This could be scheduled to run at a scheduled time (minutes/hours). The results of the query would be sent to your SSIM tool for correlation and alerting
A point of caution: Create an Oracle user with READ ONLY access to JUST the AUDITLOG table. Don’t use the same oracle account you used when installing the Enforce server.
Here is a description and a sample SQL query for the AUDITLOG table.
SQL> desc auditlog
Name Null? Type
----------------------------------------- -------- -------------------------
AUDITLOGID NOT NULL NUMBER(38)
TIME NOT NULL TIMESTAMP(6)
IPADDRESS VARCHAR2(2048 CHAR)
USERNAME NOT NULL VARCHAR2(2048 CHAR)
ROLE VARCHAR2(2048 CHAR)
ENTITY NOT NULL VARCHAR2(2048 CHAR)
ACTION NOT NULL VARCHAR2(2048 CHAR)
# This SQL CODE USES “|” as a delimeter between the fields. Watch out for the last field, detail, it’s a big one.
SET HEAD OFF
SET TRIM ON
SET WRAP OFF
SET LINESIZE 5000
SET PAGESIZE 9999
auditlogid || '|' ||
to_char(time,'DD-MON-YYYY HH24:MI:SS') || '|' ||
ipaddress || '|' ||
username || '|' ||
role || '|' ||
entity || '|' ||
action || '|' ||
REPLACE(REPLACE(dbms_lob.substr( detail, 3500, 1 ),CHR(13), ' '), CHR(10), '')
ORDER BY auditlogid;
This can give real time auditing/monitoring of activities being done on DLP. These logs can be stored for audit purpose also.