Skip to content

Symantec DLP

Key facts

  • Requires vendor product by source configuration
  • Legacy BSD Format default port 514
Ref Link
Splunk Add-on Symatec DLP https://splunkbase.splunk.com/app/3029/
Source doc https://knowledge.broadcom.com/external/article/159509/generating-syslog-messages-from-data-los.html

Sourcetypes

sourcetype notes
symantec:dlp:syslog None

Index Configuration

key sourcetype index notes
symantec_dlp symantec:dlp:syslog netdlp none

Option 1: Correct Source syslog formats

Syslog Alert Response

Login to Symantec DLP and edit the Syslog Response rule. The default configuration will appear as follows

$POLICY$^^$INCIDENT_ID$^^$SUBJECT$^^$SEVERITY$^^$MATCH_COUNT$^^$RULES$^^$SENDER$^^$RECIPIENTS$^^$BLOCKED$^^$FILE_NAME$^^$PARENT_PATH$^^$SCAN$^^$TARGET$^^$PROTOCOL$^^$INCIDENT_SNAPSHOT$

DO NOT replace the text prepend the following literal

SymantecDLPAlert: 

Result note the space between ‘:’ and ‘$’

SymantecDLPAlert: $POLICY$^^$INCIDENT_ID$^^$SUBJECT$^^$SEVERITY$^^$MATCH_COUNT$^^$RULES$^^$SENDER$^^$RECIPIENTS$^^$BLOCKED$^^$FILE_NAME$^^$PARENT_PATH$^^$SCAN$^^$TARGET$^^$PROTOCOL$^^$INCIDENT_SNAPSHOT$

Syslog System events

  • Navigate to the installed directory, for example <drive>:\SymantecDLP\Protect\config directory on Windows or the /opt/SymantecDLP/Protect/config directory on Linux.
  • Open the Manager.properties file.
  • Comment out any uncommented line starting with systemevent.syslog.format
  • Add the following line systemevent.syslog.format= {0.EN_US} SymantecDLP: {1.EN_US} - {2.EN_US}
  • Restart symantec DLP

Option 2: Manual Vendor Product by source Parser Configuration

#/opt/sc4s/local/config/app-parsers/app-vps-symantec_dlp.conf
#File name provided is a suggestion it must be globally unique

application app-vps-test-symantec_dlp[sc4s-vps] {
 filter {      
        #netmask(169.254.100.1/24)
        #host("-esx-")
    }; 
    parser { 
        p_set_netsource_fields(
            vendor('symantec')
            product('dlp')
        ); 
    };   
};