Data Loss Prevention

Hi tech guys

          i am stuggling to find out the error and Critical Syslogs samples or Event IDs  generated by the Symantec DLP.

       So ,please help me to find out the same

Thanks in Advance 

Hei Guys

Please reply

·       

Take a look at the help file.  If you are in the Event section and click on Help and then look for "System event Codes and Messages"

The list below are what I commonly setup from a notification point of view

1004:  Monitor stopped: The Vontu Monitor service has stopped on one of the servers, the alert will contain which server the service has stopped on

·         1005: Local monitor stopped:  All monitor process have been stopped, the aler will contain which server this has stopped on

·         1006: {0} failed to start: Some process can’t be started, {0} will list the process that can’t be started

·         1007: {0} restarts excessively: Process {0} has restarted {1} times during the last {2} minutes, will include which process is restarting excessively

·         1302: File reader failed to start:  Error starting the file reader no incidents will recorded until the file reader has started

·         1800: Incident Persister is unable to process incident: Presister ran out of memory processing incident, needs to be resolved before the incident will be written to the system

·         1801:  Incident Persister failed to process incident {0}: A corrupted incident or the persister ran out of memory when processing an incident

·         2300: Low disk space: Hard disk space is low.  Symantec DLP Enforce Server disk usage is over {0}%

·         2301: Tablespace is almost full: The Oracle database tablespace is over {1}% full.  The database administrator will need to adjust the disk space or tablespace

·         2701: Monitor controller service was stopped

Thanks for your Response Jjesse

   I want you to clarify the messages those you mentioned are syslog format or any other.can i consider that as a syslog format??

Can you advice me to differentiate the critical ,error and informational Logs??

thanks in advance  

Hi Sahaba, Jjsee has given enough info but still whatever event occured on any DLP servers having some event ID which u can config for sys alert

There are a lot of posts on Connect about sending to a syslog server.

This is a linke I've used in the past as it talks about sending events to Splunk: http://aps.splunk.com/app/1314 and contains an example response rule.

Critical information is really up to you.  The events you deem critical may be different than the events I deem critical.

Event alerts aren't sent as response rules they are sent as ntoifications.  So you can send an email based on an event

Thanks lot JJesse

 I am not able to access the URL

Hi Sahaba,

Please refer Admin Guide for DLP V 12.0 on page no: 157 also rfere below

1004 Monitor stopped All monitor processes have been stopped.

1005 Local monitor stopped Process {0} can't be started. See log files for more detail.

1006 {0} failed to start Process {0} has restarted {1} times during last {2} minutes.

1007 {0} restarts excessively {0} process went down before it had fully started.

1008 {0} is down {0} process was restarted because it went down unexpectedly.

Dear Sharma

I have old version's admin guide only (v11),So   please provide me the link to download the Admin Guide for DLP V 12.0

Thanks alot

The DLP 12.0 Admin guide is part of the documentation zip file that you can download from File Connect.  If your license and maintance is still valid request the upgrade through the licensing portal and then you will be able to download the new files including the admin guide

Sorry about that, copy and paste must have broken.  Just google Splunk Symantec DLP and there will be documetnation on how to set it up

Hi Kishorilal

event IDand description which you have provided above is not matching at all.

please let me know if i am wrong.