Data Loss Prevention

Hello all,

We have a Linux deployment of DLP v14, where for all intensive purposes the Enforce server seems to be running properly. The Enforce server is running the Enforce console and the Oracle database. There will be detection servers on their own Linux server connecting back to the Enforce server.

As I said, the installation of the Oracle and Enforce software completed successfully and seem to be running properly.

The first detection server installed was the Network Discovery. The install completed properly, the VontuMonitor and VontuUpdate services start after a reboot or when manually restarted. Our problem is, the filereader does not start. It attempts to and keeps failing.

Both the Enforce and Network Discovery servers are running firewalls to "hide" the ability to VNC into them and force the use of VNC tunneling through SSH. On the Network Discovery server, port 8100 is open (nmap scans show it to be open and available). And the Network Discovery server was successfully added to the Enforce GUI. Wireshark was run on both servers at the same time to check the communications between the servers and traffic was seen flowing between the Enforce and Network Discovery on port 8100. (pcaps avaiable if needed). The directories SymantecDLP in /opt, /var, and /var/log have been chowned to protect:protect.

Here is how the user and group protect are setup:

[root@xxxx]# grep protect /etc/passwd
protect:x:1001:1001::/home/protect:/bin/bash
[root@xxxx]# grep protect /etc/group
protect:x:1001:
[root@xxxx]#

The filereader on the Network Discovery server just will not start.

Anyone have a fix?

Attached is the section of the FileReader0.log from the Network Discovery server showing an attempt to start the filereader.

Attachment(s)

Linux Network Discovery FileReader Log.txt   23 KB 1 version

Seswho,

Is this a Network Discover or Network Monitor Server???

If it is the Network Monitor server, did you select the NIC card it will monitor. Make sure to look at the configuration and check the right box.

If the detection server is on LInux.. did you install of the the right RPM's on the detection server??

apr
apr-util
compat-libstdc++-296
compat-libstdc++-33
expat
libicu

Red Hat Enterprise Linux versions 6.4, 6.5, and 6.6 have these additional
dependencies:
■ compat-openldap
■ compat-expat1
■ compat-db43
■ openssl098e
 

If you have installed all of the right packages.. then it might be due to the Servers Confguration.

How much RAM does the server have?? Over 8GB?

You may need to increase the Java Settings..

Go to the Network Discover server and edit a file in the \opt\SymantecDLP\protect\config directory.

Edit the VontuMonitor.config file and increase the Jave Heap Size (Search for Heap)

I believe the settings are 

Initial:256 - - Change it to 512

Max Heap: 512 - Change this to 1024 or 2048.

Then restart the VontuMonitor service.

Good Luck

Ronak

IF THIS ANSWERS YOUR QUESTION PLEASE MARKED THIS AS SOLVED

Thank you for the pointers.

This is a Networ Discover/Cloud Discover server.

A few of the packages were missing from the OS and were installed.

Restarted the VontuMonitor service and the same errors popped.

The server has 5GB of ram, I'm going to check to see if I can get more memory for it.

On a side note, have you noticed the newst version of FireFox is not supported by DLP v14?

Firefox 39.0 works fine here with Enforce 14.0.0

Probably not related, but may be useful.

I had a Derby Database failure "file reader failed to start" on one of my network detect servers (Windows 2008 R2). I think it may have been related to the DLP data drive being full, but not sure.

I had to uninstall and then reinstall the detection server to get it (File Reader) to run.

Code	1302
Summary	File Reader failed to start
Detail	Error starting File Reader. An unexpected error occurred while trying to connect to the Derby database. DerbyDatabase [MONITOR\INCREMENTAL_INFO, 289045778]. Unable to create table to track servers requiring incremental index changes No incidents will be detected

Restart the Monitor Contorller on the Enforce server.. it might be the issue.

Also make sure that there are no running discover scans.. if so. Make sure to stop them and also force them to do a full scan for all targets. It may be that the incremental DB is corrupted.

Good luck

Ronak

Please make sure to mark this as a solution to your problem, when possible.

Did you change your network configuration recently, (IP address), if so, just open Enfronce console and go to that server and update your IP settgins for that detection server from advacne settgins.

Regards,

Fadi

Seswho,

ONe thing to think about is also the permissions on the files..

Did you upgrade this form a previous version?

Since you are on Linux you need to make sure you run the POST upgrade scripts. These are in the outlined in the upgrde documents. There is a directory under Protect, that has a post upgrade script that needs to be run as reoot to apply the right permissions.

Also make sure you are installing the application using the ROOT account and not a local admin account..

Permissions are VERY important with DLP.

Good Luck

Ronak

Please make sure to mark this as a solution to your problem, when possible.