Data Loss Prevention

 View Only

  • 1.  DLP Logs!

    Posted Aug 02, 2012 02:05 AM

    Hi Guys,

    I need to know which logs are used to troubleshoot and monitor for the following components of DLP.

    1. Enforce
    Oracle DB logs to see any DB related error?
    Any other critical logs for detection servers to see any errors or info?

    2. Network Monitor
    Which logs to see to verity packet capturing?
    Any other useful log for troubleshooting?

    3. Network Prevent for Web, SMTP.
    Which logs to see if http and smtp packets are coming in from Web proxy and MTA?
    Which logs to see for connectivity error and other problem?

    4. Network Discover, Endpoint Discover, Network Protect and Network Prevetion
    Which logs to see problems and errors?

    Regards,


     



  • 2.  RE: DLP Logs!

    Posted Aug 02, 2012 06:55 AM

    Symantec Data Loss Prevention provides many operational log files that can be used to interpret how the system is running.

    The default locations put the log files during installation for the Enforce Server and detection servers on the computers that host the servers. The files are in the \Vontu\Protect\logs\ directory on Windows installations and in the /var/log/Vontu/ directory on Linux installations.

    Operational log files record detailed information about the tasks the software

    performs and any errors that occur while the software performs those tasks.

    You can use the contents of operational log files to verify that the software

    functions as you expect it to. You can also use these files troubleshoot any

    problems in the way the software integrates with other components of your

    system.

    For example, you can use operational log files to verify that a Network Prevent

    Debug log files record fine-grained technical details about the individual

    processes or software components that comprise Symantec Data Loss

    Prevention. The contents of debug log files are not intended for use in

    diagnosing system configuration errors or in verifying expected software

    functionality. You do not need to examine debug log files to administer or

    maintain an Symantec Data Loss Prevention installation. However, Symantec

    Support may ask you to provide debug log files for further analysis when you

    report a problem. Some debug log files are not created by default. Symantec

    Support can explain how to configure the software to create the file if

    necessary.

    Installation log files record information about the Symantec Data Loss

    Prevention installation tasks that are performed on a particular computer.

    You can use these log files to verify an installation or troubleshoot installation

    errors. Installation log files reside in the following locations:

    installdir\Vontu\.install4j\installation.log stores the installation

    log for Symantec Data Loss Prevention.

    installdir\oracle_home\admin\protect\ stores the installation log for

    Oracle 10g.



  • 3.  RE: DLP Logs!
    Best Answer

    Posted Aug 02, 2012 07:29 AM

    Details about DLP logs are available in Vontu Knowledge base. I am pasting some extracts from the KB below. This can help you.

     

    Log File Name

    Description

    Server

    Aggregator0.log

    This file describes communications between the detection

    server and the agents.

    Look at this log to troubleshoot the following problems:

    ■ Connection to the agents

    ■ To find out why incidents do not appear when they should

    ■ If unexpected agent events occur

    Endpoint detection

    servers

    BoxMonitor0.log

    This file is typically very small, and it shows how the application processes are running. The BoxMonitor process oversees the detection server processes that pertain to that particular server type. For example, the processes that run on Network Monitor are file reader and packet capture.

    All detection servers

    ContentExtractor0.log

    This log file may be helpful for troubleshooting

    ContextExtractor issues.

    All detection servers,

    Enforce Server

    DiscoverNative.log.0

    Contains the log statements that the Network Discover native code emits. Currently contains the information that is related to ,pst scanning. This log file applies only to the Network Discover Servers that run on Windows platforms.

    Discover detection

    servers

    FileReader0.log

    This log file pertains to the file reader process and contains application-specific logging, which may be helpful in resolving issues in detection and incident creation. Look at this log file to find out why an incident was not detected. One symptom that shows up is content extractor timeouts

    All detection servers

    IncidentPersister0.log

    This log file pertains to the Incident Persister process. This process reads incidents from the incidents folder on the Enforce Server, and writes them to the database. Look at this log if the incident queue on the Enforce Server (manager) grows too large. This situation can be observed also by checking the incidents folder on the Enforce Server to see if incidents have backed up.

    Enforce Server

    Indexer0.log

    This log file contains information when an EDM profile is indexed. It also includes the information that is collected when the external indexer is used. If indexing fails then this log should be consulted.

    Enforce Server (or

    computer where the

    external indexer is

    running)

    jdbc.log

    This log file is a trace of JDBC calls to the database. By default, writing to this log is turned off.

    Enforce Server

    MonitorController0.log

    This log file is a detailed log of the connections between the  Enforce Server and the detection servers. It gives details around the information that is exchanged between these servers including whether policies have been pushed to the detection servers or not.

    Enforce Server

    PacketCapture.log

    This log file pertains to the packet capture process that

    reassembles packets into messages and writes to the

    drop_pcap directory. Look at this log if there is a problem

    with dropped packets or traffic is lower than expected.

    PacketCapture is not a Java process, so it does not follow the same logging rules as the other Symantec Data Loss

    Prevention system processes.

    All detection servers

    PacketCapture0.log

    This log file describes issues with PacketCapture

    communications.

    All detection servers

    RequestProcessor0.log

    This log file pertains to SMTP Prevent only. The log file is primarily for use in cases where SmtpPrevent0.log is not sufficient.

    SMTP Prevent

    detection servers

    ScanDetail-target-0.log

    Where target is the name of the scan target. All white spaces in the target's name are replaced with hyphens. This log file pertains to Discover server scanning. It is a file by file record of what happened in the scan. If the scan of the file is successful, it reads success, and then the path, size, time, owner, and ACL information of the file scanned. If it failed, a warning appears followed by the file name.

    Discover detection

    servers

    SmtpPrevent0.log

    This operational log file pertains to SMTP Prevent only. It is the primary log for tracking health and activity of a Mail Prevent system. Look at this file for information on the communications between the MTA and detection server.

    SMTP Prevent

    detection servers

    Tomcat\Localhost.<date>.log

    This log file contains information for any action that involves  the user interface. The log includes the User Interface red error message box, password fails when logging on ) and Oracle errors (ORA –#).

    Enforce Server

    Tomcat\ Localhost_access_log.<date>.txt

     

    This log contains the record of all URLs requested. 

    Enforce Server

    VontuIncidentPersister.log

    This log file contains minimal information –stdout and stderr  only (fatal events).

    Enforce Server

    VontuManager.log

    This log file contains minimal information –stdout and stderr  only (fatal events).

    Enforce Server

    VontuMonitor.log

    This log file contains minimal information –stdout and stderr  only (fatal events).

    All detection servers

    VontuMonitorController.log

    This log file contains minimal information –stdout and stderr  only (fatal events).

    Enforce Server

    VontuNotifier.log

    This log file pertains to the Notifier service and its

    communications with the Enforce Server and the

    MonitorController service. Look at this file to see if the

    MonitorController service registered a policy change

    Enforce Server

    VontuUpdate.log

    This log file is populated when Symantec Data Loss

    Prevention is updated.

    Enforce Server

    WebPrevent_Access0.log

    This access log file pertains to Web Prevent only. It records all the requests that Web Prevent processes. It is similar to Web access logs for a proxy server.

    Web Prevent

    detection servers

    WebPrevent_Operational0.log

    This operational log file pertains to Web Prevent only. It

    reports the operating condition of Web Prevent such as

    whether the system is up or down, connection management, and so on. This log is the primary log file for tracking Web Prevent operations.

    Web Prevent

    detection servers

     



  • 4.  RE: DLP Logs!

    Posted Aug 02, 2012 09:45 AM

    Thanks Roju for sharing, I could also share it but thought atif wanted know the concept and location of log collection.



  • 5.  RE: DLP Logs!

    Posted Aug 02, 2012 02:20 PM

    Thanks Roju... Appreciate such a proper response.

    Regards.