San Francisco Bay Area Data Loss Prevention User Group

 View Only

  • 1.  "Key Indicators" on LINUX Network Prevent for eMail servers

    Posted Sep 20, 2012 07:39 PM

    In getting ready to deploy v11.6 (on RHEL 5.8) in forwarding mode, the question came up, "We have to provide health metrics on the status of every technology in the email message chain.  So:

    1) Is there a port that being open on the DLP box tells us the DLP services are actually processing email messages (instead of just running)?  OR...

    2) Are there "start-stop" events on the DLP box (or that they invoke on the upstream or downstream SendMail servers)  that tell us the DLP services are actually processing (not just running)?"

    Anyone have a good answer to identify such "key indicator(s)"? Just monitoring that the "service" is running is not the answer being sought.

     

    Thank you,

    --Tom



  • 2.  RE: "Key Indicators" on LINUX Network Prevent for eMail servers

    Posted Sep 21, 2012 12:28 AM

    Tom,

     

    there is a message wait time, you can look at also under system>servers>alerts you can coinfgiure a server alert for a particular warning of info severe and warning...

     

    not sure this is what you are looking for? are you using amy type of SIEM or syslog server?



  • 3.  RE: "Key Indicators" on LINUX Network Prevent for eMail servers

    Posted Sep 21, 2012 04:45 PM

    Thanks for pointing us to the Systems Alerts.

    Can anyone share with me your set of System Alerts? I am especially looking for ones applicable to Prevent for Email in forwarding mode.

    In reading through the various configuration options and events, it seems there would be a common way of configuring a standard set of conditions (with event codes) specific to each mode option (reflective and forwarding). The event codes I think one would want to see would be: 1501, 1503 and 2305 for either mode.

    And as well as for each sensor and the Enforce server.  A quick search here did not produce any results, none for any of trhe sensors nor for Enforce.

    Our initial roll-out of components are:

    • Enforce
    • Network Monitor
    • Network Prevent for Email (forwarding mode)
    • Network Prevent for Web (ICAP REQMOD amd RESPMOD with Bluecoats)
    • Network Discover

    TIA



  • 4.  RE: "Key Indicators" on LINUX Network Prevent for eMail servers

    Posted Sep 24, 2012 11:21 AM

    Tom,

     

    do you have anything like solarwinds you can use for reporting? or a SIEM/syslog cerver you can report to to generate alerts? send me a message and let me see what i can do for you.