Vontu (refusing to use the S word) DLP does not syslog details of incidents. You can however generate email with the info. Coupled with the Oracle-based audit logs one could put together a pretty decent integration solution. The web filter we use reports usernames differently too so this project will leverage some normalization so different attempts to smuggle data by the same user can be correlated. If there is a better way let me know but if you are game for the challenge I will maintain the conversation and progress here for other end users to benefit.
7/10/2009 - A scheduled task running a packaged perl script to check a POP3 mailbox is forthcoming. I don't want to install Perl (or anything else) so I can limit the third-party apps and associated vulnerabilities. The Net:: POP3 module is working like a champ to download the messages into flat files. Now for a little parsing so we can use the Syslog module to fire into enVision without messing with file reader. Less is more right?
5/3/2010 - With SymantecDLP 10.0 you can now log at least some meaningful data via syslog limiting the need to bring the SMTP component online. Good thing too as I have had no time to work on it. I will create another thread in the Event Source Sharing section of the IC with a rudimentary setup for the product.
AlertFormat.txt - Vontu SMTP response rule configuration. I took out some variables because they are not suitable for our purpose. The idea is to make only one response rule and read only the applicable fields.
There are several instances where an SMTP reader would be ideal. Other tools have email alerting that you might want to get into Envision, so that you can do reporting and such.
I look forward to a response from RSA on your SMTP reader question.