About external storage for incident attachments for Data Loss Prevention (DLP).

About external storage for incident attachments

You can store incident attachments such as email messages or documents on a file system rather than in the Symantec Data Loss Prevention database. Storing incident attachments externally saves a great deal of space in your database,
providing you with a more cost-effective storage solution.

You can store incident attachments either in a directory on the Enforce Sever host computer, or on an stand-alone computer. You can use any file system you choose. Symantec recommends that you work with your data storage administrator to set up an appropriate directory for incident attachment storage.

To set up an external storage directory, Symantec recommend these best practices:

• If you choose to store your incident attachments on the Enforce Server host computer, do not place your storage directory under the /SymantecDLP/ folder.
• If you choose to store incident attachments on a computer other than your Enforce Server host computer, take the following steps:
• Ensure that both the external storage server and the Enforce Server are in the same domain.
• Create a "protect" user with the same password as your Enforce Server "protect" user to use with your external storage directory.
• If you are using a Linux system for external storage, change the owner of the external storage directory to the external storage "protect" user.
• If you are using a Microsoft Windows system for external storage, share the directory with Read/Write permissions with the external storage "protect" user.

After you have set up your storage location you can enable external storage for incident attachments in the Upgrade Wizard.  all new incident attachments will be stored in the external storage directory.

In addition, a migration process runs in the background to move your existing incident attachments from the database to your external storage directory. Incident attachments in the external storage directory cannot be migrated back to the database. Incident attachments stored in the external storage directory are encrypted and can only be accessed from the Enforce Server administration console.

The incident deletion process deletes incident attachments in your external storage directory after it deletes the associated incident data from your database. This process happens overnight; files are not deleted immediatly. You do not need to take any special action to delete incidents from the external storage directory.

To change the settings for external storage of incident attachments

If you did not configure the incident attachment external storage directory during the installation or upgrade process, you
can enable or update external storage settings in the Protect.properties configuration file. You can also disable
external storage of incident attachments in this file.

1. On the Enforce Server host, open the following file in a text editor:
Microsoft Windows: \Program Files\Symantec\DataLossPrevention\EnforceServer
\15.8.00000\Protect\config\Protect.properties
Linux: /opt/Symantec/DataLossPrevention/EnforceServer/15.8.00000/Protect/config/
Protect.properties
2. Enable incident attachment external storage:
com.symantec.dlp.incident.blob.externalize=true
3. Specify the path to the external storage directory:
com.symantec.dlp.incident.blob.externalization.dir=<PATH TO DIRECTORY>
4. Save the file.
5. Restart the SymantecDLPManagerService and SymantecDLPIncidentPersisterService services

**Please note the direction of the slashes, they are opposite of Windows. If the windows pathway is used "D:\incidents" it will fail. it needs to be specified as "D:/Incidents"