Additional reporting considerations
Applies to: | In this topic |
---|---|
|
|
When you install web protection reporting components, you can configure how those components communicate with the Microsoft SQL Server database (Log Database). Port and encryption settings selected during installation can be changed after installation, if needed.
In addition, if you are planning to deploy reporting components for a large or geographically distributed organization, and need to use a single, centralized database for reporting, see Configuring distributed logging, for configuration options.
Using a custom port to connect to the Log Database
During Forcepoint Management Infrastructure and Log Server installation, you can specify which port to use for Microsoft SQL Server communication. By default, the standard ODBC port (1433) is used.
- A fixed port to the default instance (MSSQLSERVER)
- A dynamic port to each named instance
Use the SQL Server Configuration Manager to configure the port used by each SQL Server instance. See your Microsoft documentation for assistance.
Using SSL to connect to the Log Database
During Forcepoint Management Infrastructure and Log Server installation, you are given the option to connect to Microsoft SQL Server using an SSL-encrypted connection.
- BCP (bulk copy program) cannot be used to add records to the Log Database.
- Log Database connections are slower, which may affect reporting performance.
- Launch SQL Server Configuration Manager.
- Right-click the SQL Native Client x.x Configuration entry used in your SQL Server installation, then select PropertiesTwo parameters are listed:
- Force Protocol Encryption: The default setting (No) means that encrypted connections are accepted but not required. This setting is typically best for use with Forcepoint
security solutions.
If this is set to yes, only encrypted connections are accepted.
- Trust Server Certificate: The default setting (No) means that only certificates issued by a Certificate Authority (CA) are accepted for encrypting connections to the
database. This requires that a CA-signed certificate be deployed to the SQL Server, Log Server, and management server machines a secure connection can be used to connect to the
database.
When this parameter is set to Yes, self-signed SSL certificates may be used to encrypt the connection to the database. In this case, the certificate is generated by the SQL Server machine and shared by all components needing to connect to the database.
- Force Protocol Encryption: The default setting (No) means that encrypted connections are accepted but not required. This setting is typically best for use with Forcepoint
security solutions.
If you enable SSL encryption during installation, Force Protocol Encryption is set to Yes, and Trust Server Certificate is set to No, CA-signed certificates must be installed on the management server and Log Server machines before the component installation will succeed.
Configuring distributed logging
If you have a large or distributed environment that requires multiple Log Server instances, you can configure each Log Server to record data to a separate Log Database. If you do not need a central repository of reporting data that can be used to generate organization-wide reports, this may be the most efficient deployment option.
- Configure all Log Server instances to independently record their data in the same Log Database.
- Configure distributed Log Server instances to pass their data to a central Log Server, which then records all log records from all instances into the Log Database.
The first option does not require special configuration steps. You need only ensure that each Log Server instance points to the same database (both database engine IP address or hostname and database instance name).
The second option requires more planning and configuration detail, as outlined in the sections that follow.
Note that centralized log processing is not as fast as local logging. Expect a delay of 4 or 5 minutes before the files from remote Log Servers appear in the cache processing directory on the central Log Server.
Part 1: Prepare for centralized logging