000033893 - Control and limit the size of the event uploaded from the endpoint in RSA Data Loss Prevention 9.6 and later

Document created by RSA Customer Support Employee on Sep 6, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000033893
Applies ToRSA Product Set: DLP
RSA Product/Service Type: Enterprise Manager, Endpoint
RSA Version/Condition: 9.6 and above
Platform: Windows
IssueWhen DLP violations occur at DLP Endpoint, the file in violation is also uploaded along with the event details.
There is advance configuration is configurable and can control and limit the DLP Endpoint event file size.

The default is 5 MB. No additional violation file(s) is attached to the event zip if the overall size of the event zip exceeds the configured or default limit.
ResolutionTo control the overall size of the event zip. This Advanced Endpoint Configuration / Override Configurations can be changed on DLP Enterprise Manager at Endpoint page
  1. Open DLP Enterprise Manager
  2. Select Admin tab
  3. Select Endpoint menu
  4. Select Endpoint Groups
User-added image

  1. Choose the appropriate Endpoint Group from the groups list
User-added image

  1. Select Edit to configure the selected Endpoint Group
User-added image

  1. Locate Tech Support Only section and click to expand the Advanced Endpoint Configuration.
  2. Then add the Advanced Endpoint Configuration into Override Configuration field.
This example will limit the maximum event zip file to be 3 MB and not add further attachments to events when event zip file go beyond 3 MB

<Advanced> 
<MaxEventFileSizeMB>3</MaxEventFileSizeMB> 
</Advanced>

 
User-added image

  1. Save the changes. Updated Endpoint configuration changes will be pushed to the associated Endpoint(s) from Enterprise Manager
 
 

Attachments

    Outcomes