Control and limit the size of the event uploaded from the endpoint in RSA Data Loss Prevention 9.6 and later
4 years ago
Originally Published: 2016-08-29
Article Number
000059341
Applies To
RSA Product Set: DLP
RSA Product/Service Type: Enterprise Manager, Endpoint
RSA Version/Condition: 9.6 and above
Platform: Windows
Issue
When DLP violations occur at DLP Endpoint, the file in violation is also uploaded along with the event details.
There is advance configuration is configurable and can control and limit the DLP Endpoint event file size.
The default is 5 MB. No additional violation file(s) is attached to the event zip if the overall size of the event zip exceeds the configured or default limit.
Resolution
To control the overall size of the event zip. This Advanced Endpoint Configuration / Override Configurations can be changed on DLP Enterprise Manager at Endpoint page
  1. Open DLP Enterprise Manager
  2. Select Admin tab
  3. Select Endpoint menu
  4. Select Endpoint Groups
User-added image
  1. Choose the appropriate Endpoint Group from the groups' list
User-added image
  1. Select Edit to configure the selected Endpoint Group
User-added image
  1. Locate Tech Support Only section and click to expand the Advanced Endpoint Configuration.
  2. Then add the Advanced Endpoint Configuration into Override Configuration field.
This example will limit the maximum event zip file to be 3 MB and not add further attachments to events when event zip file go beyond 3 MB
<Advanced> 
<MaxEventFileSizeMB>3</MaxEventFileSizeMB> 
</Advanced>
 
User-added image
  1. Save the changes. Updated Endpoint configuration changes will be pushed to the associated Endpoint(s) from Enterprise Manager
 
 

Related Articles

Trending Articles

Don't see what you're looking for?