Dear All,
We are integrating DLP with SIEM Solution (Splunk). I need the Incidents to be sent to Splunk as Syslogs for which i configured a syslog response rule with the hostname, port and the syslog message required by Splunk.
I created a Test policy with the "Log to a Syslog Server" response rule and created test incidents.
I am not able to recieve any incidents/traffic from splunk even after checking the following:
1. Firewall Access for syslog port from Enforce Server to Splunk server.
2. Response rule is being triggered in Incident History
I need information/help on the following:
1. Is there a specific pattern of the hostname and port no should be wirtten in the Response Rule..?
2. Is there any changes to be done on the Enforce Server (Windows) to be able to produce syslogs..?
3. Is there a way I can check whether the syslog is being generated on Enforce Server and sent to splunk..?