Configure inputs for the Splunk Add-on for RSA DLP
The Splunk Add-on for RSA DLP handles inputs through UDP. There are two ways to capture this data.
1. Use a syslog aggregator with a Splunk forwarder installed on it. Configure a monitor input to monitor the file or files generated by the aggregator.
2. Create a UDP input to capture the data sent on the port you have configured in RSA DLP.
Access the RSA DLP documentation for more information.
Monitor input
If you are using a syslog aggregator, install a forwarder on that machine and set up a monitor input to monitor the file or files that are generated. Set your source type to rsa:dlp
. The CIM mapping and dashboard panels are dependent on this source type.
See "Monitor files and directories" in the Getting Data In manual for information about setting up a monitor input.
UDP input
In the Splunk platform node handling data collection, configure a UDP input to match your configurations in RSA DLP and set your source type to rsa:dlp
. The CIM mapping and dashboard panels are dependent on this source type.
For information on how to configure a Splunk forwarder or single-instance to receive a syslog input, see "Get data from TCP and UDP ports" in the Getting Data In manual.
Validate data collection
Once you have configured the input, run this search to check that you are ingesting the data that you expect.
sourcetype=rsa:dlp
Configure RSA DLP to produce syslog for the Splunk Add-on for RSA DLP | Troubleshoot the Splunk Add-on for RSA DLP |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!