Security Information and Event Management (SIEM) integration

Documentation | Support

Go to the table of contents

Go to the previous page

Go to the next page

View or print as PDF

Getting Started > Security Information and Event Management (SIEM) integration

Security Information and Event Management (SIEM) integration

Administrator Help | Forcepoint Email Security | Version 8.5.x

Third-party security information and event management (SIEM) tools allow the logging and analysis of internal alerts generated by network devices and software. Integration with SIEM technology allows the transfer of message activity events to a SIEM server for analysis and reporting.

Third-party SIEM providers may not support FIPS 140-2 Level 1 certified cryptography. Contact your SIEM provider for more information about FIPS-certified cryptography.

Access SIEM integration settings on the page Settings > General > SIEM Integration.

Enable and configure SIEM integration

1.

On the page SIEM Integration, mark the check box Enable SIEM integration for all email appliances.

SIEM configuration settings are enabled for editing.

2.

In the entry field IP address or hostname, enter the IP address or hostname for the SIEM integration server.

3.

In the entry field Port, enter the port number for the SIEM integration server.

The default is 514.

4.

From the section Transport protocol, select the protocol used for data transport; UDP or TCP.

User datagram protocol (UDP) is a transport layer protocol in the Internet protocol suite. UDP is stateless and therefore faster than transmission control protocol (TCP), but can be unreliable. Like UDP, TCP is a transport layer protocol, but provides reliable, ordered data delivery at the expense of transport speed.


	Tip When using TCP, it is recommended to end all logs with %<\n>.

5.

From the pull-down menu SIEM format, select the format to be used in SIEM logs.

The format determines the syntax of the string used to pass log data to the integration.

The available formats are syslog/CEF (ArcSight), syslog/key-value pairs (Splunk and others), syslog/LEEF (QRadar), and Custom.

The text boxes populate with CEF format when Custom is selected, and can be edited as needed. The maximum size for each format is 2048 characters. Logs are not saved to the SIEM server for any log fields left blank. Selection of a new template returns any edited custom format to the default.

Sample formats display for non-custom options.

6.

Confirm that the SIEM product is properly configured and can receive messages from the email software; click Send Test Message.

Check the SIEM Server log entries to verify that the test message is delivered.

7.

From the bottom of the page SIEM Integration, click OK.

The SIEM configuration settings are saved. See SIEM: Email Logs.

Go to the table of contents

Go to the previous page

Go to the next page

View or print as PDF

Getting Started > Security Information and Event Management (SIEM) integration

Copyright 2022 Forcepoint. All rights reserved.