Data Loss Prevention

I have a windows server 2008 R2 on which DLP endpoint is installed and it is in different domain than the Endpoint server.(Endpoint server and Enforce server are in same LAN)

Port 8000 is open on Endpoint server  and I am able to portping from windows server but still I am unable to receive any logs and also the netstat cmd (netstat -ano | findstr "8000") do not produce any output on windows server.

I can see the logs from other servers with same hardware and configuration in same LAN.

Wanted to ask some questions for troubleshooting :

1. Can Endpoint server forcefully pull logs from that windows server?

2. Can we manually pull the logs from windows server?

3. Does Endpoint agent capable to work in cross domain(between 2 different domains)?

 

Little help is appreciated.

Thanks in advance.

Hello,

We expect a persistent connection to the Endpoint Server from the Agent on port 8000. Do you perhaps have a windows firewall on either server? If the Server is unable to communicate with the Agent you will not be able to pull logs. You can login to the server (Agent) and use the Endpoint Tools to de-obsfusicate the logs.

Solution

Use the Collection tab of the Logs screen (System > Servers > Logs) to collect log files and configuration files from one or more Symantec Data Loss Prevention servers. You can collect files from a single detection server or from all detection servers, as well as from the Enforce Server computer. You can limit the collected files to only those files that were last updated in a specified range of dates.

The Enforce Server administration console stores all log and configuration files that you collect in a single ZIP file on the Enforce Server computer. If you retrieve files from multiple Symantec Data Loss Prevention servers, each server's files are stored in a separate subdirectory of the ZIP file.

Operational, debug, trace log files are stored in the server_identifier/logs subdirectory of the ZIP file. server_identifier identifies the server that generated the log files, and it corresponds to one of the following values:

If you collect log files from the Enforce Server, Symantec Data Loss Prevention replaces server_identifier with the string Enforce. Note that Symantec Data Loss Prevention does not use the localized name of the Enforce Server.

If a detection server's name includes only ASCII characters, Symantec Data Loss Prevention uses the detection server name for the server_identifier value.

If a detection server's name contains non-ASCII characters, Symantec Data Loss Prevention uses the string DetectionServer-ID-id_number for the server_identifier value. id_number is a unique identification number for the detection server.

If you collect agent service log files or operational log files from an Endpoint Prevent server, the files are placed in the server_identifier/agentlogs subdirectory. Each agent log file uses the individual agent name as the log file prefix.

Follow this procedure to collect log files and log configuration files from Symantec Data Loss Prevention servers.

To collect log files from one or more servers

Click the Collection tab if it is not already selected.
Use the Date Range menu to select a range of dates for the files you want to collect. Note that the collection process does not truncate downloaded log files in any way. The date range limits collected files to those files that were last updated in the specified range.
To collect log files from the Enforce Server, select one or more of the checkboxes next to the Enforce Server entry to indicate the type of files you want to collect.
To collect log files from one or all detection servers, use the Select a Detection Server menu to select either the name of a detection server or the Collect Logs from All Detection Servers option. Then select one or more of the checkboxes next to the menu to indicate the type of files you want to collect.
Click Collect Logs to begin the log collection process.
The administration console adds a new entry for the log collection process in the Previous Log Collections list at the bottom of the screen. If you are retrieving many log files, you may need to refresh the screen periodically to determine when the log collection process has completed.

Note: You can run only one log collection process at a time.
 

To cancel an active log collection process, click Cancel next to the log collection entry. You may need to cancel log collection if one or more servers are offline and the collection process cannot complete. When you cancel the log collection, the ZIP file contains only those files that were successfully collected.
To download collected logs to your local computer, click Download next to the log collection entry.
To remove ZIP files stored on the Enforce Server, click Delete next to a log collection entry.

Hi Ryan, Thanks for your reply. We do have firewall on windows server and we also tested it by opening all the ports, still we are unable to get the persistent connection. The log file which you are talking about is shared with Symantec support team but they are unable to find any meaningful data in it. Just wanted to know if DLP endpoint agent works in Cross-Domain? Because we are able to receive logs when the server is behind firewall but as soon as we add it to the domain the connection goes off. It will be helpful if you can provide an article about cross-domain functionality of DLP endpoint agent.

Hi Lion, Thanks for your reply. We are not able to view the windows server which is in different domain on our DLP console, so we won't be able to pull the logs. As per our internal troubleshooting we found when the server is behind firewall it is reporting to our enforce console but as soon as we add it to the domain the connection goes off. we think the issue is might be with the cross-domain. Please let us know if DLP endpoint agent has the capability of working in Cross-domain. An article on DLP endpoint agent functionality would be appriciated. Thanks.