Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

DLP syslogs to QRADAR SIEM

Created: 02 Apr 2013 • Updated: 02 Apr 2013 | 1 comment

We have setup response rule to send high and medium events to QRADAR SIEM on port 514- but getting the following errors- message 2 large- see below, Message string below

LEEF:1.0|Symantec|DLP|2:medium|$POLICY$|suser=$SENDER$|duser=$RECIPIENTS$|rules=$RULES$|matchCount=$MATCH_COUNT$|blocked=$BLOCKED$|incidentID=$INCIDENT_ID$|incidentSnapshot=$INCIDENT_SNAPSHOT$|subject=$SUBJECT$|fileName=$FILE_NAME$|parentPath=$PARENT_PATH$|path=$PATH$|quarantineParentPath=$QUARANTINE_PARENT_PATH$|scan=$SCAN$|target=$TARGET$

Error Logs.

                Line 22178: Apr 1, 2013 11:05:11 AM (SEVERE) Thread: 16 [com.vontu.command.CommandRuntime.execute] Error executing command: syslog

                Line 22179: com.vontu.command.CommandException: Unable to write to syslog: host=167.6.165.227, port=514

                Line 22188: Caused by: com.vontu.util.syslog.SyslogException: Syslog message to large: size: 1683 MAX_MESSAGE_SIZE: 1460

                Line 22189:          at com.vontu.util.syslog.SyslogMessage.makeBytes(SyslogMessage.java:141)

                Line 22190:          at com.vontu.util.syslog.SyslogMessage.<init>(SyslogMessage.java:24)

                Line 22191:          at com.vontu.util.syslog.Syslog.syslog(Syslog.java:45)

                Line 22191:          at com.vontu.util.syslog.Syslog.syslog(Syslog.java:45)

                Line 22194: Apr 1, 2013 11:05:11 AM (SEVERE) Thread: 17 [com.vontu.command.CommandRuntime.execute] Error executing command: syslog

                Line 22195: com.vontu.command.CommandException: Unable to write to syslog: host=167.6.165.227, port=514

                Line 22204: Caused by: com.vontu.util.syslog.SyslogException: Syslog message to large: size: 1683 MAX_MESSAGE_SIZE: 1460

                Line 22205:          at com.vontu.util.syslog.SyslogMessage.makeBytes(SyslogMessage.java:141)

                Line 22206:          at com.vontu.util.syslog.SyslogMessage.<init>(SyslogMessage.java:24)

                Line 22207:          at com.vontu.util.syslog.Syslog.syslog(Syslog.java:45)

                Line 22207:          at com.vontu.util.syslog.Syslog.syslog(Syslog.java:45)

                Line 22475: Apr 2, 2013 7:08:47 AM (SEVERE) Thread: 28 [com.vontu.command.CommandRuntime.execute] Error executing command: syslog

                Line 22476: com.vontu.command.CommandException: Unable to write to syslog: host=167.6.165.227, port=514

                Line 22485: Caused by: com.vontu.util.syslog.SyslogException: Syslog message to large: size: 1711 MAX_MESSAGE_SIZE: 1460

                Line 22486:          at com.vontu.util.syslog.SyslogMessage.makeBytes(SyslogMessage.java:141)

                Line 22487:          at com.vontu.util.syslog.SyslogMessage.<init>(SyslogMessage.java:24)

                Line 22488:          at com.vontu.util.syslog.Syslog.syslog(Syslog.java:45)

                Line 22488:          at com.vontu.util.syslog.Syslog.syslog(Syslog.java:45)

                Line 22491: Apr 2, 2013 7:08:47 AM (SEVERE) Thread: 29 [com.vontu.command.CommandRuntime.execute] Error executing command: syslog

                Line 22492: com.vontu.command.CommandException: Unable to write to syslog: host=167.6.165.227, port=514

                Line 22501: Caused by: com.vontu.util.syslog.SyslogException: Syslog message to large: size: 1711 MAX_MESSAGE_SIZE: 1460

                Line 22502:          at com.vontu.util.syslog.SyslogMessage.makeBytes(SyslogMessage.java:141)                                     

                Line 22503:          at com.vontu.util.syslog.SyslogMessage.<init>(SyslogMessage.java:24)

                Line 22504:          at com.vontu.util.syslog.Syslog.syslog(Syslog.java:45)

                Line 22504:          at com.vontu.util.syslog.Syslog.syslog(Syslog.java:45)

 any help would be appreciated.

thanks

Operating Systems:

Comments 1 CommentJump to latest comment