KB Article | Forcepoint Support

Notes & Warnings

Important The KB Articles provided may require you to login to https://support.forcepoint.com to view. If you do not have an account, please Create a Customer Account. If you have an account but cannot log in, Contact Support for assistance. 


This page is designed to be a one-stop shop with featured content articles that provide relevant information regarding SIEM questions.

Note The featured content listed may apply to multiple products and versions. Verify the products and versions stated in the article to ensure you are reviewing the correct featured content for your configuration.

Product information covered in this article includes:

Cloud Web

For information regarding other types of Logging, see Log Server and Log Database Featured Article, which includes information for SIEM logging for NGFW. 

Cloud Web

Integrate SIEM to export logs from Forcepoint Cloud Service
This article summarize about integrating SIEM with Forcepoint Cloud Service to export logs.

Enable SIEM for Forcepoint Cloud Web Security
This article includes steps to enable SIEM for Cloud Web Security


SIEM changed significantly starting with version 8.4. As such, the information below is sectioned between the older and newer versions of SIEM integration.
Integrating with a third-party SIEM solution
This article applies to all versions as it includes setting up SIEM connection in Forcepoint Security Manager.

Configuring multiple SIEM server logging
This feature became available starting in 8.4.

Log WCG transactions to an external syslog server
This information requires Technical Support assistance if root access is not available.

Understanding Testlogserver Output
A section for SIEM Results exists in Testlogserver output that defines the different fields.
For 8.4 and higher:
Confirm that the prerequisites described in the following Article have been performed.
If any of the services listed below are not running, SIEM logs will not write. Each article gives how to troubleshoot the service.
Hybrid logs are not sent to SIEM in Forcepoint Web Security version 8.5.3
This article applies only to version 8.5.3 where hybrid logs did not move to SIEM

SIEM shows time as 1970 for Arcsight after upgrade to 8.4 or 8.5
This article explains about the time format issue
Services such as SIEM Connector Service are no longer listed on appliance manager or FSAM
This issue requires Forcepoint Technical Support assistance.

SIEM logging fails after upgrade from 8.3
This article applies only to versions 8.4 or higher after upgrading from 8.3.

Stopping and restarting Event Message Broker service
This article applies only to versions 8.4 or higher.

Kafka Logs maxing out disk space
This issue began in 8.3 as SIEM and other logs are stored in Kafka before transmission from Event Message Broker.

Forcepoint versions 8.4 or higher are not logging data to the SIEM integration
This article applies to versions 8.4 and higher with additional information on related issues.

Vulnerability detected on SIEM port 8443 - Certificate issue
This article includes the steps to remove unused ports in siem connector and cloud app service.
For 8.3:
Version 8.3 began the setup for the eventual services in 8.4 and higher. Just like in 8.4, if the below services are stopped, SIEM logs will not write.
Forcepoint versions 8.3 or prior are not logging data to the SIEM integration
This article applies to versions 8.3 and prior with Multiplexer on an appliance.
For 8.2 and prior:
In versions 8.2 and prior, Multiplexer and MuxApp were used to send SIEM information. As of 8.4, MuxApp is no longer integrated as Event Message Broker took over.
Multiplexer is not running or not available
This document applies to versions 8.2 and prior with Appliance Manager. If Multiplexer is not running, SIEM logs will not write.

Invalid format for SIEM data after upgrade to v8.2
Fixed with hotfix v8.2.0 HF03 Filter SIEM Template Upgrade Fix (Windows) and WEB-8.2.0-003 (Appliance).
For all Web versions:
SIEM configuration reverts to default after logging off Forcepoint Security Manager
This is an uncommon issue for SIEM configuration after version 8.4.

The syslog/CEF (ArcSight) output string for SIEM integration is incorrect
This issue was corrected in version 8.5.

SIEM "reason=%" from Splunk for Web Reports
This issue was corrected in version 8.5.

Vulnerability detected on SIEM port 8443 - Certificate issue
This issue was corrected in version 8.5.

SIEM logs shows debug enabled
The debug feature is on by default, but can be changed through a Custom SIEM template.


Forcepoint CASB Administration Guide
For information regarding SIEM and CASB.

CASB SIEM Scan Tool configuration
The SIEM Scan tool is to integrate with SIEM for CASB.

Enable Task Scheduler to automatically run SIEM scan
This article gives step by step instructions for automating the SIEM scan tool.

How to automate and schedule periodic Cloud Discovery Scans in Windows
The Cloud Discovery Scan needs SIEM logs to be periodically stored in a location accessible by the Cloud Discover Tool.


This document goes over remediation and includes SIEM tool compatibility.

Forcepoint DLP Ports
Contains the default syslog ports.


Security Information Event Management (SIEM): Email Logs
This PDF goes over integration with the Email product.

Integrate SIEM to export logs from Forcepoint Cloud Service
This article goes over integrating SIEM to export logs.

Keywords: SIEM; SIEM Integration; Syslog Server; Syslog Ports; SIEM Tool Compatibility; Remediation; Troubleshooting SIEM; Incidents not sent to syslog; 1970; siem connector; siem services; audit logs; siem tools; arcsight; qradar; splunk


Article Feedback

Thank you for the feedback and comments.