Symantec DLP Application

EventLog Analyzer collects log data from Symnatec DLP Applications and presents it in the form of graphical reports. For the solution to start collecting this log data, the it has to be added as a threat source.

Adding a Symantec DLP Application device as a threat source:

To add a Symnatec DLP Application device as a threat source, the syslog service has to be configured.

1. Locate and open the config\Manager.properties file. The file path is as follows
• Windows - \SymantecDLP\Protect\config directory
• Linux - /opt/SymantecDLP/Protect/config directory
2. Uncomment the systemevent.syslog.host= line and specify the EventLog Analyzer server IP address as follows:
   systemevent.syslog.host=xxx.xx.xx.xxx
3. Uncomment the systemevent.syslog.port= line and specify 514 as the port to accept connections from the Symantec Enforce Server as follows:
   systemevent.syslog.port=514
4. After making the above mentioned changes, save and close the properties file.

1. In the EventLog Analyzer console, navigate to Settings > Log Source Configurations > Applications > Security Applications > Add Security Applications
2. Select Add-on type as Symantec DLP
3. Expand the list by clicking the "+" icon to add a new device.
4. Choose from the drop-down menu to add Configured devices, Workgroup devices, domain devices, etc.
5. To add new devices manually, click on Configure Manually and enter Log Source >Select and click on Add.

Once the threat source is added, EventLog Analyzer will start parsing the fields in the logs. This log data can now be viewed in the form of reports.

The reports provide information on the top:

• Senders
• Recipients
• Targets
• Protocols
• Data Owners
• Severities

Additionally, a Symantec DLP overview report is also provided.