Video Screencast Help
Give us your opinion and win with Symantec! Please help us by taking this survey to tell us about your experience with Symantec Connect, so that we can continue to grow and improve.  Take the survey.

DLP syslogs to QRADAR SIEM

Created: 02 Apr 2013 • Updated: 02 Apr 2013 | 1 comment

We have setup response rule to send high and medium events to QRADAR SIEM on port 514- but getting the following errors- message 2 large- see below, Message string below

LEEF:1.0|Symantec|DLP|2:medium|$POLICY$|suser=$SENDER$|duser=$RECIPIENTS$|rules=$RULES$|matchCount=$MATCH_COUNT$|blocked=$BLOCKED$|incidentID=$INCIDENT_ID$|incidentSnapshot=$INCIDENT_SNAPSHOT$|subject=$SUBJECT$|fileName=$FILE_NAME$|parentPath=$PARENT_PATH$|path=$PATH$|quarantineParentPath=$QUARANTINE_PARENT_PATH$|scan=$SCAN$|target=$TARGET$

Error Logs.

                Line 22178: Apr 1, 2013 11:05:11 AM (SEVERE) Thread: 16 [com.vontu.command.CommandRuntime.execute] Error executing command: syslog

                Line 22179: com.vontu.command.CommandException: Unable to write to syslog: host=167.6.165.227, port=514

                Line 22188: Caused by: com.vontu.util.syslog.SyslogException: Syslog message to large: size: 1683 MAX_MESSAGE_SIZE: 1460

                Line 22189:          at com.vontu.util.syslog.SyslogMessage.makeBytes(SyslogMessage.java:141)

                Line 22190:          at com.vontu.util.syslog.SyslogMessage.<init>(SyslogMessage.java:24)

                Line 22191:          at com.vontu.util.syslog.Syslog.syslog(Syslog.java:45)

                Line 22191:          at com.vontu.util.syslog.Syslog.syslog(Syslog.java:45)

                Line 22194: Apr 1, 2013 11:05:11 AM (SEVERE) Thread: 17 [com.vontu.command.CommandRuntime.execute] Error executing command: syslog

                Line 22195: com.vontu.command.CommandException: Unable to write to syslog: host=167.6.165.227, port=514

                Line 22204: Caused by: com.vontu.util.syslog.SyslogException: Syslog message to large: size: 1683 MAX_MESSAGE_SIZE: 1460

                Line 22205:          at com.vontu.util.syslog.SyslogMessage.makeBytes(SyslogMessage.java:141)

                Line 22206:          at com.vontu.util.syslog.SyslogMessage.<init>(SyslogMessage.java:24)

                Line 22207:          at com.vontu.util.syslog.Syslog.syslog(Syslog.java:45)

                Line 22207:          at com.vontu.util.syslog.Syslog.syslog(Syslog.java:45)

                Line 22475: Apr 2, 2013 7:08:47 AM (SEVERE) Thread: 28 [com.vontu.command.CommandRuntime.execute] Error executing command: syslog

                Line 22476: com.vontu.command.CommandException: Unable to write to syslog: host=167.6.165.227, port=514

                Line 22485: Caused by: com.vontu.util.syslog.SyslogException: Syslog message to large: size: 1711 MAX_MESSAGE_SIZE: 1460

                Line 22486:          at com.vontu.util.syslog.SyslogMessage.makeBytes(SyslogMessage.java:141)

                Line 22487:          at com.vontu.util.syslog.SyslogMessage.<init>(SyslogMessage.java:24)

                Line 22488:          at com.vontu.util.syslog.Syslog.syslog(Syslog.java:45)

                Line 22488:          at com.vontu.util.syslog.Syslog.syslog(Syslog.java:45)

                Line 22491: Apr 2, 2013 7:08:47 AM (SEVERE) Thread: 29 [com.vontu.command.CommandRuntime.execute] Error executing command: syslog

                Line 22492: com.vontu.command.CommandException: Unable to write to syslog: host=167.6.165.227, port=514

                Line 22501: Caused by: com.vontu.util.syslog.SyslogException: Syslog message to large: size: 1711 MAX_MESSAGE_SIZE: 1460

                Line 22502:          at com.vontu.util.syslog.SyslogMessage.makeBytes(SyslogMessage.java:141)                                     

                Line 22503:          at com.vontu.util.syslog.SyslogMessage.<init>(SyslogMessage.java:24)

                Line 22504:          at com.vontu.util.syslog.Syslog.syslog(Syslog.java:45)

                Line 22504:          at com.vontu.util.syslog.Syslog.syslog(Syslog.java:45)

 any help would be appreciated.

thanks

Operating Systems:

Comments 1 CommentJump to latest comment