SSIM does not receive events from Symantec DLP 10 using the Symantec Event Collector
Last Updated March 06, 2010
SSIM is not receiving events from Symantec DLP 10.The source application and the event collector have been configured in accordance with the event collector documentation.
The use of variables that were previously available in Vontu DLP 9 for defining a response rule’s message field can cause the DLP 10 syslog facility to stop sending events.
A workaround has been indentified that will allow users of Symantec DLP 10 to successfully send syslog events to the event collector.
When configuring the response rule to send events to the event collector, the contents of the SyslogFormat.txt file (as provided in the utils directory of the collector installation package) should NOT be copied and pasted into the message field, as instructed in the event collector documentation.
Instead, copy the following and paste it into the response rule message field:
This will allow Symantec DLP 10 to successfully send syslog events to the event collector when policies are configured to use the response rule.
NOTE: In some cases, entering the string from the SSIM collector PDF has been known to cause the response rule to fail with the following error on the Enforce server: Message Code: 1807 Summary: Response rule processing execution failed Detail: Response rule command runtime execution failed from error: Error executing command: syslog
For the applicable variables, see KB 47666 For using custom attributes as variables, see KB 43010
Imported Document ID: TECH220589
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe