DLPe 11.2 adds support or sending certain events using the Syslog protocol to a Syslog server. I would like to know how to set up and make use of the new syslog feature in DLPe 11.2.
There is one paragraph of data in the DLPe for Windows 11.2.x Release Notes. In ePO, in DLP Windows Client Configuration policy, one can set the address and port of a syslog server. But beyond that there is little data. I have set a client policy in ePO to send to syslog, but so far I am not seeing any events. So I have some questions:
What IP address is the syslog data sent FROM? Is it sent from each individual Windows client to the syslog server, or are all events sent from the ePO sever to the syslog server?
Is syslogging enabled only if the setting Send DLP events to Syslog server is set to enabled? Or is some other factor also involved? For instance, if DLPe is set to operate in Device Control Only mode, does syslogging function?
What is a good way to test syslogging from the DLPe Windows Client? What is a convenient action one can perform in Windows that will cause DLPe to generate a syslogged event? And what should one expect to see at the syslog receiver (syslog server)? I have tried sending e-mail from OIutlook and the Win 10 email client, and printing, but so far no events have appeared.
I would suggest to review the KB:-
How to set up an example syslog server for use with ePolicy Orchestrator
Technical Articles ID: KB87927
Thank you for the suggestion. That is good info to have regarding syslog from the ePO server.
But this new feature in DLP 11.2 is a setting for the DLPe Windows Client, with its own IP address setting, and no provision for SSL. It is just plain UDP to port 514 (by default). This implies that the DLPe agents at each Windows desktop are separately sending syslog events to a syslog server specified in the policy.
The setting looks like this in Data Loss Prevention 11.2 > Windows Client Configuration > Default Windows Client Configuration:
Today, I have this enabled at all Windows desktops, but no events are arriving at a test syslog server set up at the IP address 10.1.2.12. I can send syslog events to that address from other sources okay.
So I am still trying to find out how one sets this new feature up, how it can be tested and verified, and what use one can make of it.