Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Report Center > Exporting data to a third-party SIEM tool
Exporting data to a third-party SIEM tool
Use the Reporting > Account Reports > SIEM Integration page to format reporting data for use by a third-party SIEM tool. Select data columns and apply filters to the data, just as you do in other areas of the Report Center (for Web, see Using the Transaction Viewer, for Email, see Using Message Details).
Before data can be exported, you need to configure SIEM Storage details. Navigate to Account > SIEM Storage to select a storage type and configure your own storage if you do not wish to use Forcepoint storage (the default). See Configuring SIEM storage for details.
After selecting the type of data that you want to export to your SIEM tool, define the data format, and enable SIEM data export.
To configure and enable SIEM integration:
1.
*
*
2.
Use the Columns drop-down list, or drag items into the report panel from the Attributes or Metrics lists to customize the information that will appear in the exported data. You can drag columns in the report panel to re-order them.
The default columns vary, depending on which data type you have selected.
The number of columns allowed also varies, depending on the data type. For Web Security, the limit is 35. For Email Security, the limit is 25.
See Report attributes: Web and Data Security or Email report attributes for additional infomation.
3.
Drag items from the Attributes or Metrics lists to the Filters field to define any filters you want to apply to your reporting data before it is exported. On the popup that appers, use the drop-down list to define how the filter handles the value that you specify.
The attributes available for use as Filters is a subset of those available to add as a column. Customers exporting Web data can select filters for the following:
*
*
*
*
*
*
*
Customers exporting Email data can select filters for:
*
*
*
Only data that matches the selected filters will be included in the downloadable files.
 
Note 
4.
 
Note 
Enable data export cannot be set to ON unless a valid storage option has been configured on Account > SIEM Storage.
*
Forcepoint storage is enabled but no logs have been downloaded for 30 days.
*
Bring your own storage is enabled but no SIEM data could be forwarded to the active bucket for 14 days.
Click Refresh to display the last 2 hours of data.
5.
Using Bring your own storage
The output generated by the export process is forwarded to the active AWS S3 bucket listed on the SIEM Storage page. Files are assigned names using the format web|email_<accountid>_<timestamp>_<server>_<timestamp>.csv.gz, and will use any prefix values defined for the bucket.
Using Forcepoint storage
To get the formatted SIEM data to your network, you can either use the sample Perl script included in the zip file linked at the top of the SIEM integration page, or create a script of your own. The account used to run this script must have "Log Export" permissions (see Running the SIEM log file download script for Forcepoint storage for more information about using the script) but permission to log onto the portal is not required.
 
Note 
If you give this contact only the Log Export permission and nothing else, the user name and password cannot be used to log on to the cloud portal. Although log on permissions are not needed to run the script, the View Reports permission is the minimum permission a user needs to be able to log on.
To download the sample script:
1.
2.
*
*
Note that adding parameters to the command line when executing the script will override the parameters in the config file.
*
*
The set of library files and the script should always be kept together in the same folder. The configuation file can be located in a different folder, if necessary. The path to it can be included in the cfg file paramter.
 
Warning 
The script can be run on Windows or Linux, and does the following:
*
*
*
*
*
Whether they have been downloaded or not, files that are 14 days old are deleted.
 
Note 
If you customize the sample script or choose to write your own script, you must always include the DELETE method to avoid listing the same files again and to remove the downloaded files from the server. This is because files are only retained for 14 days.
Optionally, you can use the Windows Scheduler or Linux cron and crontab commands to schedule the script to run at regular intervals. Use the infinite_loop option (see Running the SIEM log file download script for Forcepoint storage) to run the script as a backgroud process.
For information about using the sample script, see Running the SIEM log file download script for Forcepoint storage.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Report Center > Exporting data to a third-party SIEM tool
Copyright 2020 Forcepoint. All rights reserved.