Data Loss Prevention

 View Only
Back to Library

Configure Symantec DLP with RSA envison for Syslog Alert 

Mar 17, 2014 07:24 AM

Dear All,

Please follow the below instruction as I integrated DLP 12.0.1 with RSA envison for syslog.

Configure Symantec DLP

To configure Symantec DLP to work with the enVision appliance, you must complete the following
tasks:

1. Configure System Events
2. Configure Response Rules
3. Enable Rules

Configure System Events

To configure system events:

  1.  On your Vontu system, depending on your operating system, choose one of the following:

         For Windows, change directories to \Vontu\Protect\config.
         For Linux, change directories to /opt/Vontu/Protect/config.

2. Open Manager.properties in a text editor.

3. Remove the number sign (#) from the line, #systemevent.syslog.host=, and then enter the
hostname or IP address of your enVision appliance.


4. Remove the # from the line, #systemevent.syslog.port=, and then type 514.


5. Remove the # from the line, #systemevent.syslog.format= [{0}] {1} - {2}.

6. Save and close the file.


7. Restart the Vontu server.

Configure Response Rules: Refer attached snapshot- response rule.jpg

To configure response rules:
1. Log on to the Symantec DLP user interface.
2. Click Policies > Response Rules > Add Response Rule.
3. Select Automated Response.
4. Click Next.
5. In the Configure Response Rule window, complete the fields as follows.
 

Field Action


Rule Name : Enter a rule name.
Description : Enter a description for the rule name.
6. From the Action drop-down list, select All: Log to a Syslog Server.
7. Click Add Action.
8. Complete the fields as follows.

Field Action

Host Enter the IP address of your enVision appliance.
Port Type 514.

Message Type:

$POLICY$^^$INCIDENT_ID$^^$SUBJECT$^^$SEVERITY$^^
$MATCH_COUNT$^^$RULES$^^$SENDER$^^$RECIPIENTS$^^
$BLOCKED$^^$FILE_NAME$^^$PARENT_PATH$^^$SCAN$^^
$TARGET$^^$PROTOCOL$^^$INCIDENT_SNAPSHOT$


* Important: This is one continuous entry. Do not add spaces or hyphens.


Level Select 4.

9. Click Save.


Enable Rules

To enable rules: refer the attached screenshot - Policy response.JPG


1. Click Policies > Policy List.
2. Select a policy that you want to report on.
3. Click the Response tab.
4. From the drop-down list, select the rule you created in the previous task.
5. Click Add Response Rule.

Example of created Response Rule:

Find the attached snapshot

$POLICY$^^$INCIDENT_ID$^^$SUBJECT$^^$SEVERITY$^^$MATCH_COUNT$^^$RULES$^^$SENDER$^^$RECIPIENTS$^^$BLOCKED$^^$FILE_NAME$^^$PARENT_PATH$^^$SCAN$^^$TARGET$^^$PROTOCOL$^^$INCIDENT_SNAPSHOT$

 

 

Statistics
0 Favorited
0 Views
2 Files
0 Shares
0 Downloads
Attachment(s)
Download All
JPG file
Policy response.JPG   70 KB   1 version
Uploaded - Feb 25, 2020
 
Download
jpg file
response rulwe.jpg   71 KB   1 version
Uploaded - Feb 25, 2020
 
Download

Tags and Keywords

Comments

Migration User
Apr 02, 2014 06:14 AM

Really helpful article.

Migration User
Mar 28, 2014 06:15 AM

Thanks

This is what i was looking for 

Related Entries and Links

No Related Resource entered.