Collect Symantec DLP logs
This document explains how to ingest Symantec DLP logs to Google Security Operations using the Bindplane agent.
Symantec Data Loss Prevention (DLP) is a data protection solution that generates syslog messages for policy violations, data discovery incidents, endpoint monitoring events, and network monitoring alerts. The parser extracts fields from pipe-delimited and CEF-formatted syslog logs and maps them to the Unified Data Model (UDM).
Before you begin
Make sure you have the following prerequisites:
- A Google SecOps instance
- Windows Server 2016 or later, or Linux host with
systemd - Network connectivity between the Bindplane agent and the Symantec DLP server
- If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements
- Administrative access to the Symantec Server administration console
Get Google SecOps ingestion authentication file
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Collection Agents.
- Download the Ingestion Authentication File.
-
Save the file securely on the system where Bindplane will be installed.
Get Google SecOps customer ID
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Profile.
-
Copy and save the Customer IDfrom the Organization Detailssection.
Install the Bindplane agent
Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.
Windows installation
- Open Command Promptor PowerShellas an administrator.
-
Run the following command:
msiexec / i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" / quiet -
Wait for the installation to complete.
-
Verify the installation by running:
sc query observiq-otel-collectorThe service should show as RUNNING.
Linux installation
- Open a terminal with root or sudo privileges.
-
Run the following command:
sudo sh -c " $( curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh ) " install_unix.sh -
Wait for the installation to complete.
-
Verify the installation by running:
sudo systemctl status observiq-otel-collectorThe service should show as active (running).
Additional installation resources
For additional installation options and troubleshooting, see the Bindplane agent installation guide .
Configure the Bindplane agent to ingest syslog and send to Google SecOps
Locate the configuration file
-
Linux:
sudo nano /opt/observiq-otel-collector/config.yaml -
Windows:
notepad "C:\Program Files\observIQ OpenTelemetry Collector\config.yaml"
Edit the configuration file
-
Replace the entire contents of
config.yamlwith the following configuration:receivers : udplog : listen_address : "0.0.0.0:514" exporters : chronicle/symantec_dlp : compression : gzip creds_file_path : '/etc/bindplane-agent/ingestion-auth.json' customer_id : '<customer_id>' endpoint : malachiteingestion-pa.googleapis.com log_type : SYMANTEC_DLP raw_log_field : body service : pipelines : logs/symantec_dlp_to_chronicle : receivers : - udplog exporters : - chronicle/symantec_dlp
Configuration parameters
Replace the following placeholders:
-
Receiver configuration:
-
listen_address: IP address and port to listen on:-
0.0.0.0to listen on all interfaces (recommended) - Port
514is the standard syslog port (requires root on Linux; use1514for non-root)
-
-
-
Exporter configuration:
-
creds_file_path: Full path to ingestion authentication file:- Linux:
/etc/bindplane-agent/ingestion-auth.json - Windows:
C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json
- Linux:
-
customer_id: Customer ID copied from the Google SecOps console -
endpoint: Regional endpoint URL:- US:
malachiteingestion-pa.googleapis.com - Europe:
europe-malachiteingestion-pa.googleapis.com - Asia:
asia-southeast1-malachiteingestion-pa.googleapis.com - See Regional Endpoints for complete list
- US:
-
Save the configuration file
- After editing, save the file:
- Linux: Press
Ctrl+O, thenEnter, thenCtrl+X - Windows: Click File > Save
- Linux: Press
Restart the Bindplane agent to apply the changes
-
To restart the Bindplane agent in Linux, run the following command:
sudo systemctl restart observiq-otel-collector-
Verify the service is running:
sudo systemctl status observiq-otel-collector -
Check logs for errors:
sudo journalctl -u observiq-otel-collector -f
-
-
To restart the Bindplane agent in Windows, choose one of the following options:
-
Command Prompt or PowerShell as administrator:
net stop observiq-otel-collector && net start observiq-otel-collector -
Services console:
- Press
Win+R, typeservices.msc, and press Enter. - Locate observIQ OpenTelemetry Collector.
- Right-click and select Restart.
-
Verify the service is running:
sc query observiq-otel-collector -
Check logs for errors:
type "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"
- Press
-
Configure Symantec DLP
- Sign in to the Symantec Server administrationconsole.
- Select Manage > Policies > Response rules.
- Select Configure response ruleand enter a rule name.
-
Provide the following details:
- Actions: Select Log to a syslog server.
- Host: Enter the Bindplane IP address.
- Port: Enter the Bindplane port number.
- Message: Enter the following syslog message template:
|symcdlpsys|APPLICATION_NAME|$APPLICATION_NAME$|APPLICATION_USER|$APPLICATION_USER$|ATTACHMENT_FILENAME|$ATTACHMENT_FILENAME$|BLOCKED|$BLOCKED$|DATAOWNER_NAME|$DATAOWNER_NAME$|DATAOWNER_EMAIL|$DATAOWNER_EMAIL$|...- Debugging: Select Level 4.
-
Click Apply.
UDM mapping table
| Log field | UDM mapping | Logic |
|---|---|---|
|
act
|
security_result.action | If act
is Passed
, set to ALLOW
. If act
is Modified
, set to ALLOW_WITH_MODIFICATION
. If act
is Blocked
, set to BLOCK
. Otherwise, set to UNKNOWN_ACTION
. |
|
application_name
|
target.application | Directly mapped. |
|
asset_ip
|
principal.ip, principal.asset.ip | Directly mapped. |
|
asset_name
|
principal.hostname, principal.asset.hostname | Directly mapped. |
|
attachment_name
|
security_result.about.file.full_path | Directly mapped. |
|
blocked
|
security_result.action_details | Directly mapped. |
|
calling_station_id
|
principal.mac, principal.asset.mac | If calling_station_id
is a MAC address, map it directly after replacing -
with :
and converting to lowercase. |
|
called_station_id
|
target.mac, target.asset.mac | If called_station_id
is a MAC address, extract the MAC address part before the :
and map it directly after replacing -
with :
and converting to lowercase. |
|
category1
|
security_result.detection_fields | Create a label with key category1
and value from category1
. |
|
category2
|
security_result.detection_fields | Create a label with key category2
and value from category2
. |
|
category3
|
security_result.detection_fields | Create a label with key category3
and value from category3
. |
|
client_friendly_name
|
target.user.userid | Directly mapped. |
|
dataowner_mail
|
principal.user.email_addresses | Directly mapped if it's a valid email address. |
|
description
|
metadata.description | Directly mapped. |
|
dest_location
|
target.location.country_or_region | Directly mapped if it's not RED
. |
|
deviceId
|
target.asset_id | Mapped as ID:%{deviceId}
. |
|
device_version
|
metadata.product_version | Directly mapped. |
|
dhost
|
network.http.referral_url | Directly mapped. |
|
dlp_type
|
security_result.detection_fields | Create a label with key dlp_type
and value from dlp_type
. |
|
DLP_EP_Incident_ID
|
security_result.threat_id, security_result.detection_fields | Directly mapped to threat_id
. Also, create a label with key Incident ID
and value from DLP_EP_Incident_ID
. |
|
domain
|
principal.administrative_domain | Directly mapped. |
|
dst
|
target.ip, target.asset.ip | Directly mapped if it's a valid IP address. |
|
endpoint_machine
|
target.ip, target.asset.ip | Directly mapped if it's a valid IP address. |
|
endpoint_user_department
|
target.user.department | Directly mapped. |
|
endpoint_user_email
|
target.user.email_addresses | Directly mapped. |
|
endpoint_user_manager
|
target.user.managers | Create a manager object with user_display_name
from endpoint_user_manager
. |
|
endpoint_user_name
|
target.user.user_display_name | Directly mapped. |
|
endpoint_user_title
|
target.user.title | Directly mapped. |
|
event_description
|
metadata.description | Directly mapped. |
|
event_id
|
metadata.product_log_id | Directly mapped. |
|
event_source
|
target.application | Directly mapped. |
|
event_timestamp
|
metadata.event_timestamp | Directly mapped. |
|
file_name
|
security_result.about.file.full_path | Directly mapped. |
|
filename
|
target.file.full_path, src.file.full_path | Directly mapped to target.file.full_path
. If has_principal
is true, also map to src.file.full_path
and set event_type
to FILE_COPY
. |
|
host
|
src.hostname, principal.hostname, principal.asset.hostname | If cef_data
contains CEF
, map to all three fields. Otherwise, map to principal.hostname
and principal.asset.hostname
. |
|
incident_id
|
security_result.threat_id, security_result.detection_fields | Directly mapped to threat_id
. Also, create a label with key Incident ID
and value from incident_id
. |
|
location
|
principal.resource.attribute.labels | Create a label with key Location
and value from location
. |
|
match_count
|
security_result.detection_fields | Create a label with key Match Count
and value from match_count
. |
|
monitor_name
|
additional.fields | Create a label with key Monitor Name
and value from monitor_name
. |
|
nas_id
|
target.hostname, target.asset.hostname | Directly mapped. |
|
occurred_on
|
principal.labels, additional.fields | Create a label with key Occurred On
and value from occurred_on
for both principal.labels
and additional.fields
. |
|
policy_name
|
sec_result.detection_fields | Create a label with key policy_name
and value from policy_name
. |
|
policy_rule
|
security_result.rule_name | Directly mapped. |
|
policy_severity
|
security_result.severity | Mapped to severity
after converting to uppercase. If policy_severity
is INFO
, map it as INFORMATIONAL
. If policy_severity
is not one of HIGH
, MEDIUM
, LOW
, or INFORMATIONAL
, set severity
to UNKNOWN_SEVERITY
. |
|
policy_violated
|
security_result.summary | Directly mapped. |
|
Protocol
|
network.application_protocol, target.application, sec_result.description | If Protocol
is not FTP
or Endpoint
, map it to network.application_protocol
after parsing it using the parse_app_protocol.include
file. If Protocol
is FTP
, map it to target.application
. If Protocol
is Endpoint
, set sec_result.description
to Protocol=%{Protocol}
. |
|
recipient
|
target.user.email_addresses, about.user.email_addresses | For each email address in recipient
, map it to both target.user.email_addresses
and about.user.email_addresses
. |
|
recipients
|
network.http.referral_url, target.resource.attribute.labels | Directly mapped to network.http.referral_url
. Also, create a label with key recipients
and value from recipients
. |
|
reported_on
|
additional.fields | Create a label with key Reported On
and value from reported_on
. |
|
rules
|
security_result.detection_fields | Create a label with key Rules
and value from rules
. |
|
sender
|
network.email.from, target.resource.attribute.labels | If sender
is a valid email address, map it to network.email.from
. Also, create a label with key sender
and value from sender
. |
|
server
|
target.application | Directly mapped. |
|
Severity
|
security_result.severity | See policy_severity
for mapping logic. |
|
src
|
principal.ip, principal.asset.ip | Directly mapped if it's a valid IP address. |
|
status
|
principal.labels, additional.fields | Create a label with key Status
and value from status
for both principal.labels
and additional.fields
. |
|
subject
|
target.resource.attribute.labels, network.email.subject | Create a label with key subject
and value from subject
. Also, map subject
to network.email.subject
. |
|
target_type
|
target.resource.attribute.labels | Create a label with key Target Type
and value from target_type
. |
|
timestamp
|
metadata.event_timestamp | Directly mapped after parsing it using the date
filter. |
|
url
|
target.url | Directly mapped. |
|
user
|
target.user.userid | Directly mapped. |
|
user_id
|
principal.user.userid | Directly mapped. |
|
username
|
principal.user.userid | Directly mapped. |
|
N/A
|
metadata.product_name | Set to SYMANTEC_DLP
. |
|
N/A
|
metadata.vendor_name | Set to SYMANTEC
. |
|
N/A
|
metadata.event_type | If event_type
is not empty, map it directly. Otherwise, if host
is not empty and has_principal
is true, set to SCAN_NETWORK
. Otherwise, set to GENERIC_EVENT
. |
|
N/A
|
metadata.product_event_type | If policy_violated
contains -NM-
or data
contains DLP NM
, set to Network Monitor
. If policy_violated
contains -EP-
or data
contains DLP EP
, set to Endpoint
. |
|
N/A
|
metadata.log_type | Set to SYMANTEC_DLP
. |
subject
|
event.idm.read_only_udm.network.email.subject
|
Mapped from changelog |
end
|
event.idm.read_only_udm.metadata.event_timestamp
|
Mapped from changelog |
cnt
|
event.idm.read_only_udm.network.session_duration.seconds
|
Mapped from changelog |
resolution
|
event.idm.read_only_udm.security_result.detection_fields
|
Mapped from changelog |
dhost
|
event.idm.read_only_udm.target.user.email_addresses
|
Mapped from changelog |
ATTACHMENT_FILENAME
|
principal.file.full_path
|
Mapped from changelog |
DATAOWNER_NAME
|
principal.user.userid
|
Mapped from changelog |
ENDPOINT_USERNAME
|
principal.user.userid
|
Mapped from changelog |
reported_on" and "monitor_name
|
additional.fields
|
Mapped from changelog |
incident_id" and "DLP_EP_Incident_ID
|
security_result.detection_fields
|
Mapped from changelog |
application
|
principal.application
|
Mapped from changelog |
Occurred on
|
principal.labels
|
Mapped from changelog |
Change Log
View the Change Log for this parser
Need more help? Get answers from Community members and Google SecOps professionals.

