Data Loss Prevention

Hi All

    Please help me to find out the solution.

I have been searching for the sample syslog format of any incident happening on symantec DLP. like when a account has been locked out or document removed by someone and so forth.i just need to understand the exact format and varriables contains in a log entry.

Thanks in advance. all inputs will be highly appreciated

There is a Splunk App (http://apps.splunk.com/app/1314/) fo DLP specifically and they have an example ofwhat the documentation looks like.

This is the sample text

Host = IP address for the indexer

Port = Listening udp port on the indexer

Message = ID: $INCIDENT_ID$, Policy Violated: $POLICY$, Count: $MATCH_COUNT$, Protocol: $PROTOCOL$, Recipient: $RECIPIENTS$, Sender: $SENDER$, Severity: $SEVERITY$, Subject: $SUBJECT$, Target: $TARGET$, Filename: $FILE_NAME$, Blocked: $BLOCKED$, Endpoint: $ENDPOINT_MACHINE$

Level = 7 - Debugging

Hi jjesse

Thanks for your input and effort,

I guess this is just a syntax.Can you give a sample log for the following incident............??

Code     Name                        Description

1014     Low disk space           Hard disk space is low. Symantec
                                             Data Loss Prevention server disk
                                             usage is over {0}%.

Thanks again

Ah ok you are looking to send the alerts that happen in DLP in the syslog instead of the actual DLP incidents.

The syntax I sent you was for sending the actual DLP incidents into the syslog server.

So what you would need to do is create an alert to send to an email that the syslog server can access

Thanks for your reply

    Please provide me the sample log from the sample incident posted .thats what i want to be clear in.

Thanks in advance

Thanks Jjesse,

Can you explain the varriables matching to the event details listed below..

Like $INCIDENT_ID$=1014

i am not sure ,please clarify

Message = ID: $INCIDENT_ID$, Policy Violated: $POLICY$, Count: $MATCH_COUNT$, Protocol: $PROTOCOL$, Recipient: $RECIPIENTS$, Sender: $SENDER$, Severity: $SEVERITY$, Subject: $SUBJECT$, Target: $TARGET$, Filename: $FILE_NAME$, Blocked: $BLOCKED$, Endpoint: $ENDPOINT_MACHINE$

Code     Name                        Description

1014     Low disk space           Hard disk space is low. Symantec
                                             Data Loss Prevention server disk
                                             usage is over {0}%.

I think we are still talking about diferent items.

The Event Code notification would be generated through an alert which can be managed under System -> Servers -> Alerts and that is where you specify the alerts on the error codes and where an email is sent.  So you would send that alert code (1014) to an email box the syslog server was watching and then that would be processed as a syslog event.

The item that I posted above is about generating a response rule to send incident information into a syslog server.  So you would create a rsponse rule with the items listed above and attach that to a policy which would then send incident data to the syslog server

We do not have a mechanism to send Event Codes to Syslog. The only option we have is to send an email. If your Syslog server can accept an email then your solution is to configure the emails in System -> Servers -> Alerts.