KB Article | Forcepoint Support

Resolution

This page is designed to be a one-stop shop with featured content articles that provide relevant information regarding SIEM questions.

Note The featured content listed may apply to multiple products and versions. Verify the products and versions stated in the article to ensure you are reviewing the correct featured content for your configuration.

Product information covered in this article includes:

Web
CASB
Data
Email

For information regarding other types of Logging, see Log Server and Log Database Featured Article, which includes information for SIEM logging for NGFW. 
 

Web

SIEM changed significantly starting with version 8.4. As such, the information below is sectioned between the older and newer versions of SIEM integration.
 
Configuration
 
Integrating with a third-party SIEM solution
This article applies to all versions as it includes setting up SIEM connection in Forcepoint Security Manager.
 
Configuring multiple SIEM server logging
This feature became available starting in 8.4.
 
Log WCG transactions to an external syslog server
This information requires Technical Support assistance if root access is not available.
 
Understanding Testlogserver Output
A section for SIEM Results exists in Testlogserver output that defines the different fields.
 
Troubleshooting
 
For 8.4 and higher:
If any of the services listed below are not running, SIEM logs will not write. Each article gives how to troubleshoot the service.
 
Services such as SIEM Connector Service are no longer listed on appliance manager or FSAM
This issue requires Forcepoint Technical Support assistance.
 
SIEM logging fails after upgrade from 8.3
This article applies only to versions 8.4 or higher after upgrading from 8.3.
 
Stopping and restarting Event Message Broker service
This article applies only to versions 8.4 or higher
 
Kafka Logs maxing out disk space
This issue began in 8.3 as SIEM and other logs are stored in Kafka before transmission from Event Message Broker.
 
Forcepoint versions 8.4 or higher are not logging data to the SIEM integration
This article applies to versions 8.4 and higher with additional information on related issues.
 
 
For 8.3:
Version 8.3 began the setup for the eventual services in 8.4 and higher. Just like in 8.4, if the below services are stopped, SIEM logs will not write.
 
Forcepoint versions 8.3 or prior are not logging data to the SIEM integration
This article applies to versions 8.3 and prior with Multiplexer on an appliance.
 
 
For 8.2 and prior:
In versions 8.2 and prior, Multiplexer and MuxApp were used to send SIEM information. As of 8.4, MuxApp is no longer integrated as Event Message Broker took over.
 
Multiplexer is not running or not available
This document applies to versions 8.2 and prior with Appliance Manager. If Multiplexer is not running, SIEM logs will not write.
 
Invalid format for SIEM data after upgrade to v8.2
Fixed with hotfix v8.2.0 HF03 Filter SIEM Template Upgrade Fix (Windows) and WEB-8.2.0-003 (Appliance).
 
 
For all Web versions:
SIEM configuration reverts to default after logging off Forcepoint Security Manager
This is an uncommon issue for SIEM configuration after version 8.4.
 
The syslog/CEF (ArcSight) output string for SIEM integration is incorrect
This issue was corrected in version 8.5.
 
SIEM "reason=%" from Splunk for Web Reports
This issue was corrected in version 8.5.
 
Vulnerability detected on SIEM port 8443 - Certificate issue
This issue was corrected in version 8.5.
 
SIEM logs shows debug enabled
The debug feature is on by default, but can be changed through a Custom SIEM template.
 

CASB

Forcepoint CASB Administration Guide
For information regarding SIEM and CASB.
 
CASB SIEM Scan Tool configuration
The SIEM Scan tool is to integrate with SIEM for CASB.

Enable Task Scheduler to automatically run SIEM scan
This article gives step by step instructions for automating the SIEM scan tool.
 
How to automate and schedule periodic Cloud Discovery Scans in Windows
The Cloud Discovery Scan needs SIEM logs to be periodically stored in a location accessible by the Cloud Discover Tool.
 
 

Data

Remediation
This document goes over remediation and includes SIEM tool compatibility.
 
Forcepoint DLP Ports
Contains the default syslog ports.
 
 

Email

Security Information Event Management (SIEM): Email Logs
This pdf goes over integration with the Email product.

 

 

Article Feedback



Thank you for the feedback and comments.