No Incidents Generated Data in Motion RSA Data Loss Prevention Suite 8.x, 9.x
RSA DLP 8.x, 9.x
No Network Events Generated After deploying RSA DLP, particularly when only the Network component (Data in Motion) is installed, the RSA DLP User Interface may display no Incidents or Events. Three questions are presented: 1. Is the sensor seeing traffic? 2. Does the sensor classify the traffic it receives? 3. Is there a break in the RSA DLP Network Infrastructure? This solution discusses the importance of the sensor seeing the appropriate traffic and being able to classify that traffic where there is NO break in the RSA DLP Network Infrastructure.
Data flow throughout the RSA DLP Network product is actually quite straightforward. However, it can seem daunting unless one understands from where the data originates, to where does it go and at what points it may be held along the way. This solution assumes that the data has progressed from a source to the sensor, through the Network Controller to the Enterprise Manager. See the appropriate solutions, (1., 2. and 3., above) in sequence, to troubleshoot the data flow along the way. The four solutions, considered together, should provide definitive, sequential troubleshooting steps and should result in new network events being created.
To determine why no RSA DLP Events or Incidents are created, it is necessary to consider three devices and to answer the three questions above. The devices are the Sensor, the Network Controller and the Enterprise Manager. No other devices are at issue. The sensor collects and classifies the data traffic. The Network Controller periodically polls the sensor for data and collects that data when the sensor indicates that data has been collected. The Network Controller periodically sends the data to the Enterprise Manager identified in the Controller's opt/tablus/config/em-connector.properties file.
If data has been traced through the RSA DLP Network product from a source to the sensor to the controller, data should have traversed to the controller's /opt/tablus/controller/em/events folder. If, during troubleshooting, the controller's auditmanager service were stopped, files would queue up in this folder.Starting the auditmanager service will empty this folder, the files would be transported into the Enterprise Manager's C:\RSA\em\events directory. Be sure that the Enterprise Manager identified in the /opt/tablus/config/em-connector.properties file is, in fact, the correct EM and that it is available. (A ping to both the EM's IP address and hostname should generate an appropriate response.) If events are still not generated, this is a strong indication that there is a database connectivity or configuration issue. Contact the appropriate DBA for further troubleshooting. (If events are created, but the RSA DLP Dashboard remains unpopulated, that is a separate database issue. DBA assistance will still be required.)
Note that the under some conditions, the auditmanager service will be shown as running, yet files will still queue up in the /opt/tablus/controller/em/events folder. If restarting the auditmanager service empties this folder, the reason a restart is needed should be investigated. Otherwise, the problem is likely to reoccur.