Documentation | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Getting started with SIEM Integration : Setting up SIEM integration
Setting up SIEM integration
Forcepoint Web Security Cloud | Getting started with SIEM Integration
SIEM logging permissions are available by default. To set up SIEM logging in the cloud portal:
1.
Create a new administrator contact for Forcepoint storage.
We strongly recommend that the log download process has its own user name and password to gain access to the Forcepoint Web Security Cloud service. This keeps the process separate from your other administration tasks and enables you to establish longer password expiration policies.
2.
Enable SIEM logging.
3.
Schedule log file download for Forcepoint storage.
Create a new administrator contact for Forcepoint storage
To create the new contact:
1.
In the cloud portal, on the main toolbar, click Account, then select Contacts.
2.
Under the Contacts list, click Add.
3.
Enter identifying information for the new contact in the First name and Surname fields. For example, "SIEM" and "Logging."
4.
Click Submit.
5.
Click the link provided to supply a User name for the account.
6.
Enter a password for the contact. It must conform to the password policy on the main Contacts page.
7.
Enter a password expiration date for the contact. To avoid having to regularly update it, this should be different than the regular account settings; it should span a longer period. The maximum period is 365 days.
8.
Under Account Permissions, check the Log Export box, and any other permissions you want to give this user. You can act as an administrator from this logon.
 
* 
Note 
If you give this contact only the Log Export permission and nothing else, the user name and password cannot be used to log on to the cloud portal. Although log on permissions are not needed to run the download script, the View Reports permission is the minimum permission a user needs to be able to log on.
Minimum permissions should be given to this user. The user password is needed to run the script and is viewable in plain text. For that reason, it is recommended that this user not be one with permissions to modify reports or account policies.
9.
Click Submit.
Enable SIEM logging
Use the Account > SIEM Storage page of the cloud portal to configure the storage options for SIEM output generated on the Reporting > Account Reports > SIEM Integration page. See Configuring SIEM Storage for details.
The Reporting > Account Reports > SIEM Integration page is used to format reporting data for use by a third-party SIEM tool and enable the generation of the log files.
 
* 
Note 
The option to export data cannot be set to ON unless a valid storage option has been configured on Account > SIEM Storage.
The option is automatically set to OFF if:
*
Forcepoint storage is enabled but no logs have been downloaded for 30 days.
*
Bring your own storage is enabled but no SIEM data could be forwarded to the active bucket for 14 days.
Multiple emails are sent prior to disabling the export option.
See Exporting data to a third-party SIEM tool in Help for details on formatting the data.
Using Bring your own storage
The output generated by the export process is forwarded to the active AWS S3 bucket listed on the SIEM Storage page. Files are assigned names using the format web|email_<accountid>_<timestamp>_<server>_<timestamp>.csv.gz, and will use any prefix values defined for the bucket.
Using Forcepoint storage
To get the formatted SIEM data to your network when Forcepoint storage has been selected as the Storage type on the SIEM Storage page, you can either use the sample Perl script included in the zip file linked at the top of the SIEM integration page, or create a script of your own. The account used to run this script is the one created in Create a new administrator contact for Forcepoint storage.
See Running the SIEM log file download script for Forcepoint Storage in Help for details on formatting the data and downloading and using the script.
Schedule log file download for Forcepoint storage
Once you have run an initial download and determined the parameters you want to use in your script, set up a scheduled service to run automatic downloads.
We recommend that you download the log files at least once a day. To avoid periods of high network traffic, select a random time for the download (for example, somewhere between 10 and 50 minutes past the hour).
Scheduling on Windows
Before scheduling downloads from the cloud service, make sure that the Windows Task Scheduler service is started. To check this:
1.
Open the Windows Services tool.
2.
Scroll down to Task Scheduler.
*
If the status is Started, you need do nothing.
*
Otherwise, click Start or Resume to start the service.
To schedule the log file download:
1.
Open the Windows Scheduled Tasks tool.
2.
Select Add/Create Scheduled Task.
3.
Work through the Scheduled Task Wizard. Note that the steps involved may differ for each Windows version.
*
The network user name and password you provide is not the user name and password you set up in the cloud portal.
*
The following settings are required as part of Actions to successfully run the download script:
*
Program: <full path>\perl.exe.
*
Additional Arguments:
<full path>\log_export_siem_v2_0.pl --cfgfile <full path>\log_export_siem.cfg
*
Start in: enter the full path to the script.
*
Mark the Open the properties.... checkbox, then click Finish.
4.
Define the task:
*
To run as the user defined in Create a new administrator contact for Forcepoint storage, using the password defined for that user.
*
To download the file to a designated local destination.
5.
Click OK.
Scheduling on Linux
Create a cron job to schedule your script to run at the times you want. For more information in Linux, see man cron and man crontab.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Getting started with SIEM Integration : Setting up SIEM integration
Copyright 2022 Forcepoint. All rights reserved.