Documentation | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Configuring Full Traffic Logging : Setting up full logging
Setting up full logging
Forcepoint Web Security Cloud | Configuring Full Traffic Logging
Even though the correct permission (Log export) may be visible in your Account settings, the feature is not available by default. To make it available in your account, contact Support.
Once the feature is available, to set up full traffic logging in the cloud portal:
1.
Create a new administrator contact.
We strongly recommend that the log download process has its own user name and password to gain access to the Forcepoint Web Security Cloud service. This keeps the process separate from your other administration tasks and enables you to establish longer password expiration policies.
2.
Enable full traffic logging.
Full traffic logging can be enabled for your whole account or for specific policies.
3.
Set up a download script.
Create a new administrator contact
To create the new contact:
1.
In the cloud portal, on the main toolbar, click Account, then select Contacts.
2.
Under the Contacts list, click Add.
3.
Enter identifying information for the new contact in the First name and Surname fields. For example, "Traffic" and "Logging."
4.
Click Submit.
5.
Click the link provided to supply a User name for the account.
6.
Enter a password for the contact. It must conform to the password policy on the main Contacts page.
7.
Enter a password expiration date for the contact. To avoid having to regularly update it, this should be different than the regular account settings; it should span a longer period. The maximum period is 365 days.
8.
Under Account Permissions, check the Log Export box, and any other permissions you want to give this user. You can act as an administrator from this logon.
 
* 
Note 
If you give this contact only the Log Export permission and nothing else, the user name and password cannot be used to log on to the cloud portal. The View Reports permission is the minimum permission a user needs to be able to log on.
9.
Click Submit.
Enable full traffic logging
To enable log retention for your account:
1.
In the cloud portal, on the main toolbar, click Web, then select Full Traffic Logging (under Settings).
2.
Click Edit.
3.
Mark the Enable full Web traffic logging checkbox.
The text on this page states the conditions for using full traffic logging—namely, all data is retained for only 14 days, and if you do not download any files for a period of 14 days, full traffic logging is automatically disabled. For more information, see Troubleshooting full traffic logging.
This page also contains a link to a sample script that you can use to download and store your log files. You can edit this script to suit your needs. For more information, see Set up a download script.
4.
Click Submit.
By default, all web policies have the logging setting that you define at the account level. If you want to change the log retention for a particular policy:
1.
On the main toolbar, click Web, then select Policies (under Policy Management).
2.
On the Policies page, click the name of the policy you want to configure.
3.
On the General tab for the selected policy, click Edit.
4.
Under Full Traffic Logging, change the selection in the drop-down list from Use policy-wide default to either Enabled or Disabled. This overrides the account-level setting.
5.
Click Submit.
You can view the logs available for your account by going to https://sync-web.mailcontrol.com/hosted/logs and logging on with the user name and password that you set up with the Log Export permission. If you access this site immediately after you have set up full traffic logging, you will see only an empty XML script, but once Forcepoint Web Security Cloud has started to retain your logs, the page will show all available log files for download.
Each file name has the following format:
hosted_<SourceID>_<AccountID>_<ClusterIP>_<Version>_<Epoch>_<SequenceNo>.gz
The elements of the string are defined as follows:
Element
Description
SourceID
Internal string to identify where in the cloud service the log data was created.
AccountID
The cloud service internal identifier for your account.
ClusterIP
The IP address for the cluster that processed your web requests.
Version
Current version number for the log file format.
Epoch
The UNIX time for each log file, representing the time intervals between each generated log.
SequenceNo
If your logs exceed a certain size, the cloud service will deliver multiple log files for the configured time interval. This number identifies each log in the given period.
For example, for log files from a cluster with the IP address 10.12.14.16 generated every 10 minutes, you might see the following:
hosted_xxxx1_1234_10.12.14.16_1_1236779400_1.gz
hosted_xxxx2_1234_10.12.14.16_1_1236780000_1.gz
hosted_xxxx1_1234_10.12.14.16_1_1236780000_2.gz
hosted_xxxx3_1234_10.12.14.16_1_1236780000_3.gz
hosted_xxxx1_1234_10.12.14.16_1_1236780600_1.gz
Set up a download script
To download the log files and save them to a location of your choice, you can either use the sample Perl script or create a script of your own. To save the sample script to your network:
1.
On the main cloud portal toolbar, click Web, then select Full Traffic Logging (under Settings).
2.
Click Edit.
3.
Click the sample script link, and save the file to a location of your choice. By default the file is named full_traffic_log_download.pl.
 
* 
Warning 
Forcepoint provides the sample log download script as a convenience to its customers, but does not provide support for customization and will not be responsible for any problems that may arise from editing the script.
The script can be run on Windows or Linux, and does the following:
*
Connects to the cloud service using the URL specified in the script
*
Optionally reports the log files available for download
*
Downloads the available log files to a location of your choice, or by default to the directory where the script is located
*
Optionally checks the MD5 hash of each downloaded file to verify the file's integrity before deletion from the server
*
Uses the HTTP DELETE method to request that the cloud service delete the downloaded files
 
* 
Note 
Running the script on Windows requires ActivePerl, which you can download from http://www.activestate.com/activeperl/downloads.
To see the ActivePerl modules required for running the script, open the script in a text editor. The modules are listed at the beginning of the file.
If you customize the sample script or choose to write your own script, you must always include the DELETE method to remove the downloaded files from the server. This is because files are only retained for 14 days, and any files that have not been deleted after 7 days will trigger a warning email. For more information, see Troubleshooting full traffic logging.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Configuring Full Traffic Logging : Setting up full logging
Copyright 2022 Forcepoint All rights reserved.