Symantec Data Loss Prevention (DLP) Event Collector does not map properly events from DLP 11.6.x
Last Updated March 13, 2013
You have followed all the required steps from DLP Event Collector Quick Reference
You enable the sensor and you observe that parsing of events is not correct
DLP 11.6 Version appears to have changed the "Signature" sent by the SYSLOG response rule - this is causing the Symantec Security Information Manager (SSIM) Collector to fail to properly handle DLP SysLog data.
The syslog data is still successfully getting from the Enforce server to the SSIM collector, however the format of the RAW data seems to have changed slightly so the SSIM was only storing the RAW data and not able to perform any mapping of the incident data to the SSIM database.
Prior to 11.6, the RAW data sent to the SSIM appended this "Vontu Incident: " string to the beginning of the data.
As per SSIM documentation, the SSIM collector is supposed to look for this string to know where to begin parsing the different incident data fields:
Existing documentation for SSIM (Symantec Security Information Manager) - Symantec Event Collector (p. 23) does inform that DLP should be sending the SysLog data with the following "signature":
The default Syslog Director settings for this collector are as follows:
Collector name Symantec DLP Event Collector
Collector signature Vontu Incident:
Default port 10559
This has been escalated to the engineering team and DLP Event Collector Quick Reference Guie needs to be updated.
Current workaround is to add the "Vontu Incident: " string to the beginning of the message in the Syslog response rule on DLP, e.g.,