Data Loss Prevention

 View Only

  • 1.  Logs to view data exchange between DLP Enforce Server and Lookup Script

    Posted Oct 03, 2013 10:05 AM

    I created a DLP lookup script in PowerShell to plug into the DLP enforce server.

     

    From what I understand this is how everything is supposed to work

    1. User that is logged into the Enforce Server opens an incident and presses "Lookup"

    2. The Enforce Server will take "sender-ip=10.10.10.10" and send it as an input parameter to the lookup script

    3. The look-up script processes the IP address 10.10.10.10 and finds the last user logged on

    4. The look-up script determines that the last logged on user is CONTOSO\jsmith

    5. Look-up script sends Enforce Server the string value "userId=CONTOSO\jsmith"

    6. Enforce Server displays CONTOSO\jsmith next to userId

     

    Is this correct? Because there is some misunderstanding as to whether the Enforce Server is supposed to receive "userId=CONTOSO\jsmith", or the script should send a variable $userId, where $userID has the value CONTOSO\jsmith

    I have modified the script such that it sends "userId=CONTOSO\jsmith", or it sends a variable $userId, where $userID has the value CONTOSO\jsmith, but nothing seems to work

    That is why I need to view logs that show the actual data interaction between the DLP Enforce Server and the Lookup script, and if there are any information, errors or warnings

     

    Thank you



  • 2.  RE: Logs to view data exchange between DLP Enforce Server and Lookup Script
    Best Answer

    Trusted Advisor
    Posted Oct 03, 2013 10:42 AM

    Hello

     to view exchange betwwen enforce and custom plugin you need to add following lines in  managerlogging.properties (in config directory on enforce). After updating these line it is better to restart vontu services (not sure it is mandatory).

     

    # Custom Attribute Lookup Diagnostic Logging

    enforce.workflow.attributes.CustomAttributeLookup.level = FINEST

    lookup.level = FINEST

    lookup.script.level=FINEST

    logging.ServletLogHandler.level=FINEST

    manager.admin.workflow.attributes.level=FINEST

     

     then all informations will be available in tomcat log files.

     regards

     

    please tag this as solution if it helps.



  • 3.  RE: Logs to view data exchange between DLP Enforce Server and Lookup Script

    Posted Oct 07, 2013 10:55 AM

    Stephane,

     

    I also opened an incident, and the Engineer said the following:

     

    In V10 onward, the following settings need to be changed

     

    File  ManagerLogging.properties 

      com.vontu.logging.ServletLogHandler.level = FINEST 

      com.vontu.enforce.workflow.attributes.CustomAttributeLookup.level = FINEST 

      com.vontu.lookup.level = FINEST 

    File  IncidentPersisterLogging.properties 

      com.vontu.enforce.workflow.attributes.CustomAttributeLookup.level = FINEST 

      com.vontu.lookup.level = FINEST 

     

    The IncidentPersister and Manager logs should contain the references to the lookup.

     

    I am unable to find the IncidentPersister and Manager logs anywhere. I used the search function, manually checked the subfolders, etc

     

    Thanks!



  • 4.  RE: Logs to view data exchange between DLP Enforce Server and Lookup Script

    Trusted Advisor
    Posted Oct 07, 2013 11:04 AM

    vontumanage and incidentpersiter log files should be in logs/debug directory.

    i dont know how it works in v10, so symantec engineer should be right.

    did you restart vontu services to have this config update take into account ?



  • 5.  RE: Logs to view data exchange between DLP Enforce Server and Lookup Script

    Posted Oct 07, 2013 12:31 PM

    I restarted vontu services.

     

    When I go to logs/debug directory, all I see are these files:

    logs_debug_directory.png

     

     

     

    And when I open vontumanage it shows the following:

     

    INFO   | jvm 1    | 2013/10/07 09:50:27 | line 1:71: unexpected token: null
    INFO   | jvm 1    | 2013/10/07 10:23:25 | line 1:71: unexpected token: null
    ERROR  | wrapper  | 2013/10/07 12:13:30 | Shutdown failed: Timed out waiting for signal from JVM.
    ERROR  | wrapper  | 2013/10/07 12:13:31 | JVM did not exit on request, terminated
    STATUS | wrapper  | 2013/10/07 12:13:31 | <-- Wrapper Stopped
    STATUS | wrapper  | 2013/10/07 12:15:18 | --> Wrapper Started as Service
    STATUS | wrapper  | 2013/10/07 12:15:18 | Java Service Wrapper Standard Edition 64-bit 3.5.15
    STATUS | wrapper  | 2013/10/07 12:15:18 |   Copyright (C) 1999-2012 Tanuki Software, Ltd. All Rights Reserved.
    STATUS | wrapper  | 2013/10/07 12:15:18 |     http://wrapper.tanukisoftware.com
    STATUS | wrapper  | 2013/10/07 12:15:18 |   Licensed to Symantec Corp. for VontuManager
    STATUS | wrapper  | 2013/10/07 12:15:18 |
    STATUS | wrapper  | 2013/10/07 12:15:20 | Launching a JVM...
    INFO   | jvm 1    | 2013/10/07 12:15:20 | WrapperManager: Initializing...
    INFO   | jvm 1    | 2013/10/07 12:15:53 | WrapperManager: The timer fell behind the system clock by 2,500 ms.
    INFO   | jvm 1    | 2013/10/07 12:21:46 | line 1:71: unexpected token: null
     



  • 6.  RE: Logs to view data exchange between DLP Enforce Server and Lookup Script

    Trusted Advisor
    Posted Oct 07, 2013 03:32 PM

    did you check in tomcat log files. in V11, i have all dumped information shared between DLP and plugins available in it