Data Loss Prevention

 View Only

  • 1.  DLP Syslog to LogRhythm

    Posted Apr 14, 2016 03:54 PM

    I am looking to feed my DLP events via syslog to my SIEM. Here is the regex being used to parse the syslog:

    :(?<severity>\w+)>.*?\|BLOCKED=(?<process>.*?)\s.*?FILE_NAME=(?<object>.*?)\s.*?INCIDENT_ID=(?<session>\d+)\sINCIDENT_SNAPSHOT=((?<url>.*?)|(?<objectname>.*?))\sMATCH_COUNT=(?<quantity>.*?)\sRULES=(?<group>.*?)\sPROTOCOL=(?<protname>\w+)(.*?POLICY=(?<vmid>.*?)\s)?.*?RECIPIENTS=(?<recipient>.*?)\s.*?SENDER=(?<sender>.*?)\s.*?SUBJECT=(?<subject>.*?)\sTARGET=

    I am looking to match my syslog format to the parsing format. Any help would be appriciated. 

    Thank you,

    Matt



  • 2.  RE: DLP Syslog to LogRhythm

    Posted Apr 15, 2016 04:27 PM

    I feel like this syslog format would provide the regex required infromation from above:

    :$SEVERITY$|BLOCKED=$BLOCKED$ FILE_NAME=$FILE_NAME$ INCIDENT_ID=$INCIDENT_ID$ INCIDENT_SNAPSHOT=$INCIDENT_SNAPSHOT$ MATCH_COUNT=$MATCH_COUNT$ RULES=$RULES$ PROTOCOL=$PROTOCOL$ POLICY=$POLICY$ RECIPIENTS=$RECIPIENTS$ SENDER=$SENDER$ SUBJECT=$SUBJECT$ TARGET=$TARGET$



  • 3.  RE: DLP Syslog to LogRhythm

    Posted Apr 22, 2016 10:44 AM

    Hi ,

    Follow below

    http://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.dsm.doc/c_DSM_guide_Symantec_DLP_intro.html%23c_dsm_guide_symantec_dlp_intro

    https://splunkbase.splunk.com/app/1314/#/documentation