Data Loss Prevention

 View Only

  • 1.  DLP event message import to syslog server

    Posted Apr 22, 2012 10:14 AM

    I am using Symantec DLP product to import DLP event to other syslog server such as SIEM product. Now I meet a problem that the message created in symantec DLP can not be transferred to the syslog server.

    I configure a response rule to send this DLP message to syslog server.

    And I configure a policy to use this response rule, and trigger an incident by this policy. But this message is not transferred to the syslog server. The history of the incident is as follow:

    You can see that the incident data is discarded by Network_Discover server.

    So, anyone can help to fix this problem? Any suggestions? Thaks a lot!

     



  • 2.  RE: DLP event message import to syslog server

    Broadcom Employee
    Posted Apr 22, 2012 11:11 PM

    Please check and paste the log inside the log file: IncidentPersister*.log



  • 3.  RE: DLP event message import to syslog server

    Posted Apr 25, 2012 08:58 AM

    I would agree with Yang above, if we have those logs we can help idenfity what may be happening. From just seeing the screenshot above of an incident, it appears you may have another response rule which is discarding information, but this should be pretty apparenty when looking at response rules. It does look like the information should have been sent to the Syslog server though I'm assuming it would come over with a blank payload.



  • 4.  RE: DLP event message import to syslog server

    Posted Apr 26, 2012 10:29 PM
      |   view attached

    Dears,

    Thank you for your response. Here I attach the log file. Hope it is what you want. If not, I paste the image of all "IncidentPersister*.log" in my system. Pls tell me the right one. Thanks.

    Attachment(s)

    zip
    IncidentPersister_0.zip   30 KB 1 version