Symantec DLP¶
Key facts¶
- Requires vendor product by source configuration
- Legacy BSD Format default port 514
Links¶
Ref | Link |
---|---|
Splunk Add-on Symatec DLP | https://splunkbase.splunk.com/app/3029/ |
Source doc | https://knowledge.broadcom.com/external/article/159509/generating-syslog-messages-from-data-los.html |
Sourcetypes¶
sourcetype | notes |
---|---|
symantec:dlp:syslog | None |
Index Configuration¶
key | sourcetype | index | notes |
---|---|---|---|
symantec_dlp | symantec:dlp:syslog | netdlp | none |
Option 1: Correct Source syslog formats¶
Syslog Alert Response¶
Login to Symantec DLP and edit the Syslog Response rule. The default configuration will appear as follows
$POLICY$^^$INCIDENT_ID$^^$SUBJECT$^^$SEVERITY$^^$MATCH_COUNT$^^$RULES$^^$SENDER$^^$RECIPIENTS$^^$BLOCKED$^^$FILE_NAME$^^$PARENT_PATH$^^$SCAN$^^$TARGET$^^$PROTOCOL$^^$INCIDENT_SNAPSHOT$
DO NOT replace the text prepend the following literal
SymantecDLPAlert:
Result note the space between ‘:’ and ‘$’
SymantecDLPAlert: $POLICY$^^$INCIDENT_ID$^^$SUBJECT$^^$SEVERITY$^^$MATCH_COUNT$^^$RULES$^^$SENDER$^^$RECIPIENTS$^^$BLOCKED$^^$FILE_NAME$^^$PARENT_PATH$^^$SCAN$^^$TARGET$^^$PROTOCOL$^^$INCIDENT_SNAPSHOT$
Syslog System events¶
- Navigate to the installed directory, for example
<drive>:\SymantecDLP\Protect\config
directory on Windows or the/opt/SymantecDLP/Protect/config
directory on Linux. - Open the
Manager.properties
file. - Comment out any uncommented line starting with
systemevent.syslog.format
- Add the following line
systemevent.syslog.format= {0.EN_US} SymantecDLP: {1.EN_US} - {2.EN_US}
- Restart symantec DLP
Option 2: Manual Vendor Product by source Parser Configuration¶
#/opt/sc4s/local/config/app-parsers/app-vps-symantec_dlp.conf
#File name provided is a suggestion it must be globally unique
application app-vps-test-symantec_dlp[sc4s-vps] {
filter {
#netmask(169.254.100.1/24)
#host("-esx-")
};
parser {
p_set_netsource_fields(
vendor('symantec')
product('dlp')
);
};
};