Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.

Auditing/Monitoring of User Activity in DLP

Created: 10 Feb 2012 • Updated: 13 Feb 2012 | 7 comments
Language Translations
AR Sharma's picture
+8 8 Votes
Login to vote

There could be some requirements of audit where we need to monitor the users/administrators for their activity in DLP. Since Symnatec DLP is very sensitive and highly confidential apllication and data in Symnatec DLP is precious data of the organisation. So, Symantec DLP is must for monitoring different activities around it by admin, users, security team, etc.

One way of achieving this could be - Symantec makes the events in the AUDITLOG table available in the Enforce console under System-Events.  We could then develop alerts to send these events to a SSIM tool (Symantec Security Information Manager)

We can write an Stored Procedure in Oracle that triggers when there is an insert into the AUDITLOG table. That stored procedure would send the data to some SSIM tool for correlation and alerting.

Alternatively, develop a process to query the AUDITLOG table on a scheduled basis to extract the newest records.  This could be scheduled to run at a scheduled time (minutes/hours). The results of the query would be sent to your SSIM tool for correlation and alerting

A point of caution: Create an Oracle user with READ ONLY access to JUST the AUDITLOG table.  Don’t use the same oracle account you used when installing the Enforce server.

Here is a description and a sample SQL query for the AUDITLOG table.

SQL> desc auditlog

 Name                                      Null?    Type

 ----------------------------------------- -------- -------------------------

 AUDITLOGID                      NOT NULL NUMBER(38)

 TIME                                 NOT NULL TIMESTAMP(6)

 IPADDRESS                      VARCHAR2(2048 CHAR)

 USERNAME                      NOT NULL VARCHAR2(2048 CHAR)

 ROLE                                VARCHAR2(2048 CHAR)

 ENTITY                              NOT NULL VARCHAR2(2048 CHAR)

 ACTION                             NOT NULL VARCHAR2(2048 CHAR)

 DETAIL                              CLOB

  

# This SQL CODE  USES  “|” as a delimeter between the fields.  Watch out for the last field, detail,  it’s a big one.

SET HEAD OFF

SET TRIM ON

SET WRAP OFF

SET LINESIZE 5000

SET PAGESIZE 9999

SELECT

auditlogid                                      || '|' ||

to_char(time,'DD-MON-YYYY HH24:MI:SS')       || '|' ||

ipaddress                                     || '|' ||

username                                     || '|' ||

role                                                 || '|' ||

entity                                             || '|' ||

action                                             || '|' ||

REPLACE(REPLACE(dbms_lob.substr( detail, 3500, 1 ),CHR(13), ' '), CHR(10), '')

FROM auditlog

ORDER BY auditlogid;

This can give real time auditing/monitoring of activities being done on DLP. These logs can be stored for audit purpose also.

Comments 7 CommentsJump to latest comment

waldemarrobert's picture

data system on scripting!

0
Login to vote
Avkash K's picture

Thumbs UP!!

Regards,

Avkash K

+1
Login to vote
JonCRG's picture

Very useful !

+1
Login to vote
AP@sil's picture

Great article, AR you are really contributing quality KB shares.

0
Login to vote
kishorilal1986's picture

Hi AR,

Thanks for this article, Can you publish some on symantec application  with IT infra perspective.

Reagards

Kishorilal

0
Login to vote
patriot3w's picture

Guys, the auditlog table not really audit trail, for example, it takes snapshot of the settings, not the changes.

Hope Symantec can make it a really like audit trail.

0
Login to vote
ethlang's picture

Hello Symbeta,

Do you have any other suggestions for real audit trail in Symantec DLP?  The only method that I can think of is a manual searching in the tomcat logs on the Enforce server.

Also, our Symantec Support thinks the best method is to "query the Auditlog table directly".  The "Enforce console doesn't have the comprehensive functionality...”  If you have other suggestions, please shot me an email to ethlang@cillc.com.

Thanks!

 

 

 
0
Login to vote