Collect Symantec DLP logs

Supported in:

This document explains how to ingest Symantec DLP logs to Google Security Operations using the Bindplane agent.

Symantec Data Loss Prevention (DLP) is a data protection solution that generates syslog messages for policy violations, data discovery incidents, endpoint monitoring events, and network monitoring alerts. The parser extracts fields from pipe-delimited and CEF-formatted syslog logs and maps them to the Unified Data Model (UDM).

Before you begin

Make sure you have the following prerequisites:

  • A Google SecOps instance
  • Windows Server 2016 or later, or Linux host with systemd
  • Network connectivity between the Bindplane agent and the Symantec DLP server
  • If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements
  • Administrative access to the Symantec Server administration console

Get Google SecOps ingestion authentication file

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Collection Agents.
  3. Download the Ingestion Authentication File.
  4. Save the file securely on the system where Bindplane will be installed.

Get Google SecOps customer ID

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Profile.
  3. Copy and save the Customer IDfrom the Organization Detailssection.

Install the Bindplane agent

Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.

Windows installation

  1. Open Command Promptor PowerShellas an administrator.
  2. Run the following command:

      msiexec 
      
     / 
     i 
      
     "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" 
      
     / 
     quiet 
     
    
  3. Wait for the installation to complete.

  4. Verify the installation by running:

     sc query observiq-otel-collector 
    

    The service should show as RUNNING.

Linux installation

  1. Open a terminal with root or sudo privileges.
  2. Run the following command:

     sudo  
    sh  
    -c  
     " 
     $( 
    curl  
    -fsSlL  
    https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh ) 
     " 
      
    install_unix.sh 
    
  3. Wait for the installation to complete.

  4. Verify the installation by running:

     sudo  
    systemctl  
    status  
    observiq-otel-collector 
    

    The service should show as active (running).

Additional installation resources

For additional installation options and troubleshooting, see the Bindplane agent installation guide .

Configure the Bindplane agent to ingest syslog and send to Google SecOps

Locate the configuration file

  • Linux:

     sudo  
    nano  
    /opt/observiq-otel-collector/config.yaml 
    
  • Windows:

     notepad "C:\Program Files\observIQ OpenTelemetry Collector\config.yaml" 
    

Edit the configuration file

  • Replace the entire contents of config.yaml with the following configuration:

      receivers 
     : 
      
     udplog 
     : 
      
     listen_address 
     : 
      
     "0.0.0.0:514" 
     exporters 
     : 
      
     chronicle/symantec_dlp 
     : 
      
     compression 
     : 
      
     gzip 
      
     creds_file_path 
     : 
      
     '/etc/bindplane-agent/ingestion-auth.json' 
      
     customer_id 
     : 
      
     '<customer_id>' 
      
     endpoint 
     : 
      
     malachiteingestion-pa.googleapis.com 
      
     log_type 
     : 
      
     SYMANTEC_DLP 
      
     raw_log_field 
     : 
      
     body 
     service 
     : 
      
     pipelines 
     : 
      
     logs/symantec_dlp_to_chronicle 
     : 
      
     receivers 
     : 
      
     - 
      
     udplog 
      
     exporters 
     : 
      
     - 
      
     chronicle/symantec_dlp 
     
    

Configuration parameters

Replace the following placeholders:

  • Receiver configuration:

    • listen_address : IP address and port to listen on:
      • 0.0.0.0 to listen on all interfaces (recommended)
      • Port 514 is the standard syslog port (requires root on Linux; use 1514 for non-root)
  • Exporter configuration:

    • creds_file_path : Full path to ingestion authentication file:
      • Linux: /etc/bindplane-agent/ingestion-auth.json
      • Windows: C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json
    • customer_id : Customer ID copied from the Google SecOps console
    • endpoint : Regional endpoint URL:
      • US: malachiteingestion-pa.googleapis.com
      • Europe: europe-malachiteingestion-pa.googleapis.com
      • Asia: asia-southeast1-malachiteingestion-pa.googleapis.com
      • See Regional Endpoints for complete list

Save the configuration file

  • After editing, save the file:
    • Linux: Press Ctrl+O , then Enter , then Ctrl+X
    • Windows: Click File > Save

Restart the Bindplane agent to apply the changes

  • To restart the Bindplane agent in Linux, run the following command:

     sudo  
    systemctl  
    restart  
    observiq-otel-collector 
    
    1. Verify the service is running:

       sudo  
      systemctl  
      status  
      observiq-otel-collector 
      
    2. Check logs for errors:

       sudo  
      journalctl  
      -u  
      observiq-otel-collector  
      -f 
      
  • To restart the Bindplane agent in Windows, choose one of the following options:

    • Command Prompt or PowerShell as administrator:

       net stop observiq-otel-collector && net start observiq-otel-collector 
      
    • Services console:

      1. Press Win+R , type services.msc , and press Enter.
      2. Locate observIQ OpenTelemetry Collector.
      3. Right-click and select Restart.
      4. Verify the service is running:

         sc query observiq-otel-collector 
        
      5. Check logs for errors:

          type 
          
         "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log" 
         
        

Configure Symantec DLP

  1. Sign in to the Symantec Server administrationconsole.
  2. Select Manage > Policies > Response rules.
  3. Select Configure response ruleand enter a rule name.
  4. Provide the following details:

    • Actions: Select Log to a syslog server.
    • Host: Enter the Bindplane IP address.
    • Port: Enter the Bindplane port number.
    • Message: Enter the following syslog message template:
     |symcdlpsys|APPLICATION_NAME|$APPLICATION_NAME$|APPLICATION_USER|$APPLICATION_USER$|ATTACHMENT_FILENAME|$ATTACHMENT_FILENAME$|BLOCKED|$BLOCKED$|DATAOWNER_NAME|$DATAOWNER_NAME$|DATAOWNER_EMAIL|$DATAOWNER_EMAIL$|... 
    
    • Debugging: Select Level 4.
  5. Click Apply.

UDM mapping table

Log field UDM mapping Logic
act
security_result.action If act is Passed , set to ALLOW . If act is Modified , set to ALLOW_WITH_MODIFICATION . If act is Blocked , set to BLOCK . Otherwise, set to UNKNOWN_ACTION .
application_name
target.application Directly mapped.
asset_ip
principal.ip, principal.asset.ip Directly mapped.
asset_name
principal.hostname, principal.asset.hostname Directly mapped.
attachment_name
security_result.about.file.full_path Directly mapped.
blocked
security_result.action_details Directly mapped.
calling_station_id
principal.mac, principal.asset.mac If calling_station_id is a MAC address, map it directly after replacing - with : and converting to lowercase.
called_station_id
target.mac, target.asset.mac If called_station_id is a MAC address, extract the MAC address part before the : and map it directly after replacing - with : and converting to lowercase.
category1
security_result.detection_fields Create a label with key category1 and value from category1 .
category2
security_result.detection_fields Create a label with key category2 and value from category2 .
category3
security_result.detection_fields Create a label with key category3 and value from category3 .
client_friendly_name
target.user.userid Directly mapped.
dataowner_mail
principal.user.email_addresses Directly mapped if it's a valid email address.
description
metadata.description Directly mapped.
dest_location
target.location.country_or_region Directly mapped if it's not RED .
deviceId
target.asset_id Mapped as ID:%{deviceId} .
device_version
metadata.product_version Directly mapped.
dhost
network.http.referral_url Directly mapped.
dlp_type
security_result.detection_fields Create a label with key dlp_type and value from dlp_type .
DLP_EP_Incident_ID
security_result.threat_id, security_result.detection_fields Directly mapped to threat_id . Also, create a label with key Incident ID and value from DLP_EP_Incident_ID .
domain
principal.administrative_domain Directly mapped.
dst
target.ip, target.asset.ip Directly mapped if it's a valid IP address.
endpoint_machine
target.ip, target.asset.ip Directly mapped if it's a valid IP address.
endpoint_user_department
target.user.department Directly mapped.
endpoint_user_email
target.user.email_addresses Directly mapped.
endpoint_user_manager
target.user.managers Create a manager object with user_display_name from endpoint_user_manager .
endpoint_user_name
target.user.user_display_name Directly mapped.
endpoint_user_title
target.user.title Directly mapped.
event_description
metadata.description Directly mapped.
event_id
metadata.product_log_id Directly mapped.
event_source
target.application Directly mapped.
event_timestamp
metadata.event_timestamp Directly mapped.
file_name
security_result.about.file.full_path Directly mapped.
filename
target.file.full_path, src.file.full_path Directly mapped to target.file.full_path . If has_principal is true, also map to src.file.full_path and set event_type to FILE_COPY .
host
src.hostname, principal.hostname, principal.asset.hostname If cef_data contains CEF , map to all three fields. Otherwise, map to principal.hostname and principal.asset.hostname .
incident_id
security_result.threat_id, security_result.detection_fields Directly mapped to threat_id . Also, create a label with key Incident ID and value from incident_id .
location
principal.resource.attribute.labels Create a label with key Location and value from location .
match_count
security_result.detection_fields Create a label with key Match Count and value from match_count .
monitor_name
additional.fields Create a label with key Monitor Name and value from monitor_name .
nas_id
target.hostname, target.asset.hostname Directly mapped.
occurred_on
principal.labels, additional.fields Create a label with key Occurred On and value from occurred_on for both principal.labels and additional.fields .
policy_name
sec_result.detection_fields Create a label with key policy_name and value from policy_name .
policy_rule
security_result.rule_name Directly mapped.
policy_severity
security_result.severity Mapped to severity after converting to uppercase. If policy_severity is INFO , map it as INFORMATIONAL . If policy_severity is not one of HIGH , MEDIUM , LOW , or INFORMATIONAL , set severity to UNKNOWN_SEVERITY .
policy_violated
security_result.summary Directly mapped.
Protocol
network.application_protocol, target.application, sec_result.description If Protocol is not FTP or Endpoint , map it to network.application_protocol after parsing it using the parse_app_protocol.include file. If Protocol is FTP , map it to target.application . If Protocol is Endpoint , set sec_result.description to Protocol=%{Protocol} .
recipient
target.user.email_addresses, about.user.email_addresses For each email address in recipient , map it to both target.user.email_addresses and about.user.email_addresses .
recipients
network.http.referral_url, target.resource.attribute.labels Directly mapped to network.http.referral_url . Also, create a label with key recipients and value from recipients .
reported_on
additional.fields Create a label with key Reported On and value from reported_on .
rules
security_result.detection_fields Create a label with key Rules and value from rules .
sender
network.email.from, target.resource.attribute.labels If sender is a valid email address, map it to network.email.from . Also, create a label with key sender and value from sender .
server
target.application Directly mapped.
Severity
security_result.severity See policy_severity for mapping logic.
src
principal.ip, principal.asset.ip Directly mapped if it's a valid IP address.
status
principal.labels, additional.fields Create a label with key Status and value from status for both principal.labels and additional.fields .
subject
target.resource.attribute.labels, network.email.subject Create a label with key subject and value from subject . Also, map subject to network.email.subject .
target_type
target.resource.attribute.labels Create a label with key Target Type and value from target_type .
timestamp
metadata.event_timestamp Directly mapped after parsing it using the date filter.
url
target.url Directly mapped.
user
target.user.userid Directly mapped.
user_id
principal.user.userid Directly mapped.
username
principal.user.userid Directly mapped.
N/A
metadata.product_name Set to SYMANTEC_DLP .
N/A
metadata.vendor_name Set to SYMANTEC .
N/A
metadata.event_type If event_type is not empty, map it directly. Otherwise, if host is not empty and has_principal is true, set to SCAN_NETWORK . Otherwise, set to GENERIC_EVENT .
N/A
metadata.product_event_type If policy_violated contains -NM- or data contains DLP NM , set to Network Monitor . If policy_violated contains -EP- or data contains DLP EP , set to Endpoint .
N/A
metadata.log_type Set to SYMANTEC_DLP .
subject
event.idm.read_only_udm.network.email.subject Mapped from changelog
end
event.idm.read_only_udm.metadata.event_timestamp Mapped from changelog
cnt
event.idm.read_only_udm.network.session_duration.seconds Mapped from changelog
resolution
event.idm.read_only_udm.security_result.detection_fields Mapped from changelog
dhost
event.idm.read_only_udm.target.user.email_addresses Mapped from changelog
ATTACHMENT_FILENAME
principal.file.full_path Mapped from changelog
DATAOWNER_NAME
principal.user.userid Mapped from changelog
ENDPOINT_USERNAME
principal.user.userid Mapped from changelog
reported_on" and "monitor_name
additional.fields Mapped from changelog
incident_id" and "DLP_EP_Incident_ID
security_result.detection_fields Mapped from changelog
application
principal.application Mapped from changelog
Occurred on
principal.labels Mapped from changelog

Change Log

View the Change Log for this parser

Need more help? Get answers from Community members and Google SecOps professionals.

Create a Mobile Website
View Site in Mobile | Classic
Share by: