Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Getting started with SIEM Integration : Setting up SIEM integration
Setting up SIEM integration
Forcepoint Web Security Cloud | Getting started with SIEM Integration
SIEM logging permissions are available by default. To set up SIEM logging in the cloud portal:
1.
We strongly recommend that the log download process has its own user name and password to gain access to the Forcepoint Web Security Cloud service. This keeps the process separate from your other administration tasks and enables you to establish longer password expiration policies.
2.
3.
Create a new administrator contact for Forcepoint storage
To create the new contact:
1.
2.
3.
Enter identifying information for the new contact in the First name and Surname fields. For example, "SIEM" and "Logging."
4.
Click Submit.
5.
Click the link provided to supply a User name for the account.
6.
7.
8.
Under Account Permissions, check the Log Export box, and any other permissions you want to give this user. You can act as an administrator from this logon.
 
Note 
If you give this contact only the Log Export permission and nothing else, the user name and password cannot be used to log on to the cloud portal. Although log on permissions are not needed to run the download script, the View Reports permission is the minimum permission a user needs to be able to log on.
9.
Click Submit.
Enable SIEM logging
Use the Account > SIEM Storage page of the cloud portal to configure the storage options for SIEM output generated on the Reporting > Account Reports > SIEM Integration page. See Configuring SIEM Storage for details.
The Reporting > Account Reports > SIEM Integration page is used to format reporting data for use by a third-party SIEM tool and enable the generation of the log files.
 
Note 
The option to export data cannot be set to ON unless a valid storage option has been configured on Account > SIEM Storage.
*
Forcepoint storage is enabled but no logs have been downloaded for 30 days.
*
Bring your own storage is enabled but no SIEM data could be forwarded to the active bucket for 14 days.
See Exporting data to a third-party SIEM tool in Help for details on formatting the data.
Using Bring your own storage
The output generated by the export process is forwarded to the active AWS S3 bucket listed on the SIEM Storage page. Files are assigned names using the format web|email_<accountid>_<timestamp>_<server>_<timestamp>.csv.gz, and will use any prefix values defined for the bucket.
Using Forcepoint storage
To get the formatted SIEM data to your network when Forcepoint storage has been selected as the Storage type on the SIEM Storage page, you can either use the sample Perl script included in the zip file linked at the top of the SIEM integration page, or create a script of your own. The account used to run this script is the one created in Create a new administrator contact for Forcepoint storage.
See Running the SIEM log file download script for Forcepoint Storage in Help for details on formatting the data and downloading and using the script.
Schedule log file download for Forcepoint storage
Once you have run an initial download and determined the parameters you want to use in your script, set up a scheduled service to run automatic downloads.
We recommend that you download the log files at least once a day. To avoid periods of high network traffic, select a random time for the download (for example, somewhere between 10 and 50 minutes past the hour).
Scheduling on Windows
Before scheduling downloads from the cloud service, make sure that the Windows Task Scheduler service is started. To check this:
1.
Open the Windows Services tool.
2.
Scroll down to Task Scheduler.
*
*
Otherwise, click Start or Resume to start the service.
To schedule the log file download:
1.
Open the Windows Scheduled Tasks tool.
2.
Select Add/Create Scheduled Task.
3.
*
*
*
*
<full path>\log_export_siem_v2_0.pl --cfgfile <full path>\log_export_siem.cfg
*
*
Mark the Open the properties.... checkbox, then click Finish.
4.
*
*
5.
Scheduling on Linux
Create a cron job to schedule your script to run at the times you want. For more information in Linux, see man cron and man crontab.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Getting started with SIEM Integration : Setting up SIEM integration
Copyright 2022 Forcepoint. All rights reserved.