Data Loss Prevention

 View Only

  • 1.  Any best practice to manage DLP Agent events with SMP and DLP IC?

    Posted Jul 27, 2012 09:47 AM

    Hi all,

    on a Symantec DLP 11.1 installation at an our customer, I noticed that some apparently properly running agents, did not create any incident on the server Enforce.
    Although the Agents Overview Console did not show any problem (green status), the log agent (Pull Logs on the Actions menu) showed the following severe event:

    06/27/2012 13:04:10 |  2600 | SEVERE  | IncidentStoreConnector | Persist of incidents failed
    06/27/2012 13:04:10 |  2600 | SEVERE  | IncidentHandler | Failed to persist incidents

    It seems that there is no way to detect this failure without pulling logs of all DLP Agents.
    A first idea is to use Altiris Console and create a task to schedule and collect all DLP Agent logs.
    This can have a large impact on Notification Server, so I thought to set Log Level to Severe.
    But, once collected all DLP Agent logs, how can I create a report in Altiris with only those agents with this issue?

    Thanks,
    Giovanni

     



  • 2.  RE: Any best practice to manage DLP Agent events with SMP and DLP IC?

    Posted Jul 27, 2012 04:02 PM

    but would the IT Analytics pack for DLP help out with this?

     

    For installing the report pack see: https://www-secure.symantec.com/connect/articles/configuring-dlp-report-pack-it-analytics

     

    But that would be my 1st thought to leverage something in IT Analytics



  • 3.  RE: Any best practice to manage DLP Agent events with SMP and DLP IC?

    Posted Jul 28, 2012 04:01 AM

    Hi Jonathan,

    as for I read, IT Analytics can connect to Vontu Oracle database and create reports based on information stored in the DB.


    But in this case there are no information on DB that can help me to detect the issue, only on DLP agent pulled logs.


    Since SMP allows to create a task that collects (pull) all DLP agent logs, I was wondering if there is a best practice to analyze and create reports based on these collected logs.

    Kind regards,

    Giovanni



  • 4.  RE: Any best practice to manage DLP Agent events with SMP and DLP IC?

    Posted Jul 30, 2012 01:13 AM

    Hi,

    Verry Good Morning ,

    As for i had studied your problem of your computer..

     

     

    A unique computer how to community that focuses on the tutorials themselves and caters to the authors that create them.
     
    For More Detials Please VISIT

     



  • 5.  RE: Any best practice to manage DLP Agent events with SMP and DLP IC?

    Posted Jul 30, 2012 09:57 AM

    I think, As all DLP agents are looks green on Enforce overview then they might working properly and incident are sometime generating as per your policy . Review your policy and ensure all agents are welll connected to DLP endpoint server and deploying policy properly.

     

    Regards

    Kishorilal



  • 6.  RE: Any best practice to manage DLP Agent events with SMP and DLP IC?

    Posted Jul 30, 2012 10:15 AM

    Sorry Giovanni, I don't think there is currently a good way to read the agent logs either on the SMP or through IT Analytics.  Wish there was.

    Might just have to do some reading of logs if you are looking for a certain item.