How to forward SMC log and audit data to external syslog or SIEM servers
- Article Number: 000015002
- Products: NGFW Security Management Center, Next Generation Firewall (NGFW)
- Version: 6.3, 6.2, 6.1, 6.0, 5.10
- Last Published Date: February 08, 2018
Forcepoint NGFW Security Management Center (SMC) easily integrates with external syslog servers and a variety of third-party Security Information and Event Management (SIEM) systems. Choose the configuration that works best for your log management needs with optional TLS protection, forwarding filters, and field customization.
SMC offers a wide range of configuration options to make integration with your log management solution flexible and easy:
This guide explains step-by-step how to configure SMC to forward log data in your chosen format to external syslog or SIEM servers. It also shows how to optionally customize which fields are included and in what order when forwarding log data in CSV, XML, or ESM formats.
Most log entries are traffic-based events that are logged according to policy rules. An audit log entry is a special type of log entry that is not traffic-based, but instead provides a record of SMC administrative actions and some internal events like element updates and scheduled task executions. Depending on your needs, you may wish to forward audit and non-audit log entries separately to different servers.
Forwarded log entries can come from two sources: Log Servers and Management Servers. A Log Server's forwarding configuration will apply to all log entries stored on that server, including its own audit log entries. Management Servers can only forward their own audit log entries.
Log forwarding must be configured for each individual Log and Management Server. Since the forwarding configuration process for Log and Management Servers is generally the same, this guide treats the two interchangeably. Any exceptions to this generalization are specified.
Forwarded data in CSV, XML, and ESM formats may be optionally customized to define which fields are included and in what order. See the Field customization (CSV, XML, ESM) section below for more details.Supported forwarding formats by server type
For log entries to be forwardable, you must first ensure that they are generated and properly configured in your policy logging rules. The following requirements should be met for log entries to be forwardable:
Forwarding rules define what, where, and how log and audit entries are forwarded. Each Log or Management Server must have its own forwarding rules configured to forward its log and audit entries. Multiple forwarding rulesets may be active simultaneously and the same log data can be forwarded to multiple destinations.
To add forwarding rules for a Log or Management Server:
If your external server and your Log or Management Server are separated by a firewall, you must configure your policy access rules to allow your forwarded data to pass through on the port and protocol selected in your log forwarding rules. Refer to your NGFW Product Guide for more information on configuring policy access rules.
Forwarded log and audit data in CSV, XML, and ESM formats may be optionally customized to define which fields are included and in what order. A list of available fields for export and forwarding can be found in the Log Fields Appendix of your NGFW Product Guide, or from your SMC installation's datatype files in <install_dir>/data/fields/datatypes. These datatype files also determine the default field configuration used if no custom template location is defined in your server's configuration file or the template cannot be accessed.
To choose which log fields are forwarded in CSV or XML format, perform the following for each Log/Management Server that requires field customization:
To choose which log fields are forwarded in ESM format, perform the following for each Log/Management Server that requires field customization:
See Knowledge Base article 10010 for additional information on field customization.