Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.

Symantec DLP 11.5

Created: 07 Dec 2012 | 3 comments
jyo23's picture

Hi,

 

 I have symantec DLP  11.5. I have to configure syslog server  on it and generate some logs of the same.

I have created rule of Action: Log to a Syslog Server. In message i have added some string of some syslog format and i need to create logs/incidents of the same format. How can it be done.

Any suggestion would be recommendable.

 

 

Discussion Filed Under:

Comments 3 CommentsJump to latest comment

pete_4u2002's picture

does this helps?

Enabling a syslog server

Syslog functionality sends Severe system events to a syslog server. Syslog servers allow system administrators to filter and route the system event notifications on a more granular level. System administrators who use syslog regularly for

monitoring their systems may prefer to use syslog instead of alerts. Syslog may be preferred if the volume of alerts seems unwieldy for email. Syslog functionality is an on or off option. If syslog is turned on, all Severe events are sent to the syslog server.

To enable syslog functionality

1 Go to the \Vontu\Protect\config directory on Windows or the /opt/Vontu/Protect/config directory on Linux.

2 Open the Manager.properties file.

3 Uncomment the #systemevent.syslog.host= line by removing the # symbol from the beginning of the line, and enter the hostname or IP address of the syslog server.

4 Uncomment the #systemevent.syslog.port= line by removing the # symbol from the beginning of the line. Enter the port number that should accept connections from the Enforce Server server. The default is 514.

5 Uncomment the #systemevent.syslog.format= [{0}] {1} - {2} line by removing the # symbol from the beginning of the line. Then define the system event message format to be sent to the syslog server:

If the line is uncommented without any changes, the notification messages are sent in the format: [server name] summary - details. The format variables are:

■ {0} - the name of the server on which the event occurred

■ {1} - the event summary

■ {2} - the event detail

For example, the following configuration specifies that Severe system event notifications are sent to a syslog host named server1 which uses port 600.

systemevent.syslog.host=server1

systemevent.syslog.port=600

systemevent.syslog.format= [{0}] {1} - {2}

Using this example, a low disk space event notification from an Enforce Server on a host named dlp-1 would look like:

dlp-1 Low disk space - Hard disk space for incident data storage server is low. Disk usage is over 82%.

jyo23's picture

thanks a lot pete..it was helpful

but i have one query that  how to generate incidents using syslog.

I tried the settings in manager.properties file but could not generate incidents.

Can u help me on that..

 

kishorilal1986's picture

Hi JYO,

Please refer below

 

You have the option to send severe Vontu system events to a syslog server. To do this you must modify the config\Manager.properties file.You can also configure Vontu to send email notifications of severe system events.

For details, open the Vontu online help and go to Administration>System>Alerts>Alerts 

To enable syslog logging:

1. Locate and open the config\Manager.properties file.

2. Uncomment the following lines:

  • #systemevent.syslog.host=
  • #systemevent.syslog.port=
  • #systemevent.syslog.format= [{0}] {1} - {2}

3. Type values for each of these parameters, as follows:

  • host—syslog server host or IP address
  • port—syslog server port number (default is 514)
  • format—log file message format. Specify one or more of the following indicators:

{0}—includes the name of the server on which the event occurred

{1}—includes a brief summary of the event