Skip to content

Symantec DLP

Key facts

  • Requires vendor product by source configuration
  • Legacy BSD Format default port 514
Ref Link
Splunk Add-on Symatec DLP
Source doc


sourcetype notes
symantec:dlp:syslog None

Index Configuration

key sourcetype index notes
symantec_dlp symantec:dlp:syslog netdlp none

Option 1: Correct Source syslog formats

Syslog Alert Response

Login to Symantec DLP and edit the Syslog Response rule. The default configuration will appear as follows


DO NOT replace the text prepend the following literal


Result note the space between ‘:’ and ‘$’


Syslog System events

  • Navigate to the installed directory, for example <drive>:\SymantecDLP\Protect\config directory on Windows or the /opt/SymantecDLP/Protect/config directory on Linux.
  • Open the file.
  • Comment out any uncommented line starting with systemevent.syslog.format
  • Add the following line systemevent.syslog.format= {0.EN_US} SymantecDLP: {1.EN_US} - {2.EN_US}
  • Restart symantec DLP

Option 2: Manual Vendor Product by source Parser Configuration

#File name provided is a suggestion it must be globally unique

application app-vps-test-symantec_dlp[sc4s-vps] {
 filter {      
    parser {