Configure Symantec DLP with RSA envison for Syslog Alert

Dear All,

Please follow the below instruction as I integrated DLP 12.0.1 with RSA envison for syslog.

Configure Symantec DLP

To configure Symantec DLP to work with the enVision appliance, you must complete the following
tasks:

1. Configure System Events
2. Configure Response Rules
3. Enable Rules

Configure System Events

To configure system events:

1.  On your Vontu system, depending on your operating system, choose one of the following:

         For Windows, change directories to \Vontu\Protect\config.
         For Linux, change directories to /opt/Vontu/Protect/config.

2. Open Manager.properties in a text editor.

3. Remove the number sign (#) from the line, #systemevent.syslog.host=, and then enter the
hostname or IP address of your enVision appliance.

4. Remove the # from the line, #systemevent.syslog.port=, and then type 514.

5. Remove the # from the line, #systemevent.syslog.format= [{0}] {1} - {2}.

6. Save and close the file.

7. Restart the Vontu server.

Configure Response Rules: Refer attached snapshot- response rule.jpg

To configure response rules:
1. Log on to the Symantec DLP user interface.
2. Click Policies > Response Rules > Add Response Rule.
3. Select Automated Response.
4. Click Next.
5. In the Configure Response Rule window, complete the fields as follows.
 

Field Action

Rule Name : Enter a rule name.
Description : Enter a description for the rule name.
6. From the Action drop-down list, select All: Log to a Syslog Server.
7. Click Add Action.
8. Complete the fields as follows.

Field Action

Host Enter the IP address of your enVision appliance.
Port Type 514.

Message Type:

$POLICY$^^$INCIDENT_ID$^^$SUBJECT$^^$SEVERITY$^^
$MATCH_COUNT$^^$RULES$^^$SENDER$^^$RECIPIENTS$^^
$BLOCKED$^^$FILE_NAME$^^$PARENT_PATH$^^$SCAN$^^
$TARGET$^^$PROTOCOL$^^$INCIDENT_SNAPSHOT$

* Important: This is one continuous entry. Do not add spaces or hyphens.

Level Select 4.

9. Click Save.

Enable Rules

To enable rules: refer the attached screenshot - Policy response.JPG

1. Click Policies > Policy List.
2. Select a policy that you want to report on.
3. Click the Response tab.
4. From the drop-down list, select the rule you created in the previous task.
5. Click Add Response Rule.

Example of created Response Rule:

Find the attached snapshot

$POLICY$^^$INCIDENT_ID$^^$SUBJECT$^^$SEVERITY$^^$MATCH_COUNT$^^$RULES$^^$SENDER$^^$RECIPIENTS$^^$BLOCKED$^^$FILE_NAME$^^$PARENT_PATH$^^$SCAN$^^$TARGET$^^$PROTOCOL$^^$INCIDENT_SNAPSHOT$