Configure Symantec DLP to send syslog data
You need to enable syslog in Symantec DLP in order to send events to the Splunk platform through syslog. You also need to use a specific format required by the Splunk add-on for Symantec DLP.
Set up a response rule in the Symantec DLP server using the following format:
Specify each variable you would like to extract from your Symantec DLP system using the format above, separating each key/value pair with a comma or a space.
Example for Symantec DLP version 14:
incident_id="$INCIDENT_ID$", blocked="$BLOCKED$", policy="$POLICY$", recipients="$RECIPIENTS$", rules="$POLICY_RULES$", sender="$SENDER$", severity="$SEVERITY$", subject="$SUBJECT$"
Note: You need to use the variable names that correspond with the version of Symantec DLP you are using. For example, if you are using Symantec DLP 12.0 or earlier, instead of using
policy="$POLICY$" you would use
For instructions on how to create response rules, see pages 870 - 875 in the Symantec Data Loss Prevention Administration guide, Version 14. For instructions on configuring syslog, see pages 145 - 146 in the guide.
If you are using Symantec DLP version 12.5, consult the Symantec Data Loss Prevention Administration guide, Version 12.5.
Next, configure your data collection node to receive data from Symantec DLP as described in Configure inputs for the Splunk Add-on for Symantec DLP.
Install the Splunk Add-on for Symantec DLP
Configure inputs for the Splunk Add-on for Symantec DLP
This documentation applies to the following versions of Splunk® Supported Add-ons: released