KB Article | Forcepoint Support

Problem Description

Forcepoint NGFW Security Management Center (SMC) easily integrates with external syslog servers and a variety of third-party Security Information and Event Management (SIEM) systems. Choose the configuration that works best for your log management needs with optional TLS protection, forwarding filters, and field customization.

Resolution

SMC offers a wide range of configuration options to make integration with your log management solution flexible and easy:
  • Support for virtually any external syslog server with configurable field inclusion and ordering in CSV and XML formats
  • Easy out-of-the-box integration with popular SIEM systems and formats, including:
    • ArcSight CEF
    • Q1 Labs LEEF
    • McAfee ESM
    • NetFlow v9
    • IPFIX
  • TLS protection with optional certificate validation and TLS server identity verification
  • Detailed specification of what log data to forward based on local filter elements
  • Ability to apply multiple forwarding rulesets simultaneously and send the same log data to multiple destinations

This guide explains step-by-step how to configure SMC to forward log data in your chosen format to external syslog or SIEM servers. It also shows how to optionally customize which fields are included and in what order when forwarding log data in CSV, XML, or ESM formats.


Contents

  1. Log entry types and sources
  2. Supported forwarding formats
  3. Configuring log and audit data forwarding
    1. Step 1: Ensure logging is properly configured
    2. Step 2: Add forwarding rules
    3. Step 3: Allow traffic to your external server
  4. Field customization (CSV, XML, ESM)
    1. CSV and XML field customization
    2. ESM field customization

Log entry types and sources

Most log entries are traffic-based events that are logged according to policy rules. An audit log entry is a special type of log entry that is not traffic-based, but instead provides a record of SMC administrative actions and some internal events like element updates and scheduled task executions. Depending on your needs, you may wish to forward audit and non-audit log entries separately to different servers.

Forwarded log entries can come from two sources: Log Servers and Management Servers. A Log Server's forwarding configuration will apply to all log entries stored on that server, including its own audit log entries. Management Servers can only forward their own audit log entries.

Log forwarding must be configured for each individual Log and Management Server. Since the forwarding configuration process for Log and Management Servers is generally the same, this guide treats the two interchangeably. Any exceptions to this generalization are specified.


Supported forwarding formats

Forwarded data in CSV, XML, and ESM formats may be optionally customized to define which fields are included and in what order. See the Field customization (CSV, XML, ESM) section below for more details.

Supported forwarding formats by server type
FormatLog ServerManagement Server
CEF (ArcSight)XX
CSVXX
Short CSVX 
IPFIXX* 
LEEF (Q1 Labs)XX
ESM (McAfee)XX
NetFlow v9X* 
XMLXX
Note: *NetFlow and IPFIX formats require UDP and do not support audit log entry forwarding.

Configuring log and audit data forwarding

Step 1: Ensure logging is properly configured

Note: Audit log entries do not require any configuration in your policy logging rules as they are always created for audit events.

For log entries to be forwardable, you must first ensure that they are generated and properly configured in your policy logging rules. The following requirements should be met for log entries to be forwardable:

  1. The Log Level of your logging rule must not be None.
  2. If you are forwarding logs in NetFlow or IPFIX format, Log Accounting Information must be selected as the Connection Closing option of your logging rule to collect traffic volume information.
  3. If you have enabled log pruning, the log entries you want to forward must not be removed by an Immediate Discard filter.
Logging Rule Options example
Logging Rule Options example

Step 2: Add forwarding rules

Forwarding rules define what, where, and how log and audit entries are forwarded. Each Log or Management Server must have its own forwarding rules configured to forward its log and audit entries. Multiple forwarding rulesets may be active simultaneously and the same log data can be forwarded to multiple destinations.

To add forwarding rules for a Log or Management Server:

  1. Open the Properties view of your Log or Management Server, select the Log or Audit Forwarding tab, and click Add.
  2. Enter your forwarding rules, including Target Host, Service, Port, and Format.
    Note: NetFlow and IPFIX formats require UDP.
  3. To limit which log entries to forward, select a Data Type and/or a local Filter.
    Tip: See Knowledge Base article 12327 for an example of how to create a forwarding rule filter.
  4. (Optional) To enable TLS protection: select TCP with TLS under Service, choose a TLS Profile, and define your preferences under the Server TLS Certificate Used for Forwarding Logs section. You may also optionally define a TLS Server Identity for verifying your external server.
  5. Click OK. Your new log forwarding rule is activate immediately.
Log Server Properties, Log Forwarding tab example
Log Server Properties, Log Forwarding tab example

Step 3: Allow traffic to your external server

If your external server and your Log or Management Server are separated by a firewall, you must configure your policy access rules to allow your forwarded data to pass through on the port and protocol selected in your log forwarding rules. Refer to your NGFW Product Guide for more information on configuring policy access rules.


Field customization (CSV, XML, ESM)

Forwarded log and audit data in CSV, XML, and ESM formats may be optionally customized to define which fields are included and in what order. A list of available fields for export and forwarding can be found in the Log Fields Appendix of your NGFW Product Guide, or from your SMC installation's datatype files in <install_dir>/data/fields/datatypes. These datatype files also determine the default field configuration used if no custom template location is defined in your server's configuration file or the template cannot be accessed.


CSV and XML field customization

To choose which log fields are forwarded in CSV or XML format, perform the following for each Log/Management Server that requires field customization:

  1. Create and customize your template:
    1. Create a new XML file or copy an existing template from the <install_dir>/data/fields/syslog_templates directory for editing.
      Note: Each Log/Management Server may only use one template file for all log and audit data forwarding in CSV or XML format. If you have a Log Server and a Management Server on the same machine, they may each use a separate template file.
    2. Edit the template to suit your needs. The order in which fields appear in your template will determine the order in which fields appear in your forwarded logs.
  2. Configure your Log/Management server to use your customized template:
    1. Open your server's configuration file for editing: <install_dir>/data/LogServerConfiguration.txt for Log Servers or <install_dir>/data/SGConfiguration.txt for Management Servers.
    2. Edit or add the SYSLOG_CONF_FILE parameter to point to the absolute path of your custom template file.
  3. Restart your Log/Management Server for your changes to take effect.

ESM field customization

To choose which log fields are forwarded in ESM format, perform the following for each Log/Management Server that requires field customization:

  1. Edit the existing ESM template found at <install_dir>/data/fields/syslog_templates/esm_syslog_conf.xml to suit your needs.
  2. Restart your Log/Management Server for your changes to take effect.
Warning: Default templates like the ESM template in the syslog_templates directory may be overwritten during an SMC upgrade. It is recommended to make a backup copy of your custom ESM template for reversion in case your original is lost.

Article Feedback



Thank you for the feedback and comments.