I have configured Symantec DLP Enforce with McAfee SIEM (Syslog Server)
I have followed the Admin Guide and Symantec article and followed the steps as mentioned.
We are able to send incident messages to Syslog server,and Enforce server is Successfully Telnet Syslog Server. syslog IP port 514
Secondly we have run TCP Dump which shows DLP is sending event messages to McAfee SIEM receiver.
Now coming on McAfee SIEM they have selected Symantec DLP and put IP of DLP enforce and there default port is 514.
Now they are Syslog is unable to receive any incidents but from our side its showing it has already send logs.
regarding DLP Message variable i have used.
$POLICY$ $INCIDENT_ID$ $SUBJECT$ $SEVERITY$ $MATCH_COUNT$ $RULES$ $SENDER$ $RECIPIENTS$ $BLOCKED$ $FILE_NAME$ $PARENT_PATH$ $SCAN$ $TARGET$ $PROTOCOL$ $ INCIDENT_SNAPSHOT$
Need you help is there any port to be open on DLP side or what steps should i take.
DPL enforce is running on Red hat Linux 5.9 and DLP version 12.0.
If we want to send specific user incident what should we add in enforce server side.