Exporting incidents to a file

Use the Settings > General > Incident Export page in the Data Security module of the Forcepoint Security Manager to configure how incidents are exported to a log file for analysis.

Steps

  1. To enable incident export, select Export incidents to a file.
  2. Enter a Path to define the storage location for the incident report (C:/Program Files (x87)/Websense/Data Security/incidents-export, by default).
  3. Enter a File name for the export file.
    • The name must be fewer than 180 characters.
    • File names cannot include the following characters:

      /:*?\"\\<|>;,&%@#!^&$%()+'=~`{}

  4. Set the Maximum number of files, from 1 to 20, to keep (5, by default).
  5. Under New File Creation, indicate whether to base new file creation on file size (default) or time.
    • To create a new file when the file reaches a specified size, select When file size reaches, then set a size from 1-5MB.
    • To create a new file daily as 12:00 a.m., select At the start of a new day.
  6. Click OK to save your changes.
    The following fields are exported:
    Field Description
    Incident ID External incident ID.
    Insert date The incident insert date.
    Source hostname The incident source hostname.
    Source IP The incident source IP.
    Source full name The incident source full name.
    Source email The incident source email.
    Source DN The distinguished name (DN) of the incident source. A DN is the name that uniquely identifies the entry in the directory. It is made up of attribute=value pairs, separated by commas.
    Destinations list A list of the incidents destinations, in the format of dest1;dest2;dest3…
    Channel name The channel name.
    Max action taken A readable action taken (e.g.: Blocked, Audited).
    Urgency Incident’s urgency, sometimes called sensitivity (e.g.: Moderate).
    Policy category A policy category for the current line (an incident can generate multiple lines).
    Filenames The filename or filenames related to the current incident policy, up to 1024 characters. In the format of [fn1;fn2;…;fnX].
    Filenames trimmed

    True if the actual value for the filenames filed is greater than 1024 characters.

    Please notice that in few cases you do not get the actual file name. For example, for some SMTP incidents you might see the filename as MESSAGE-BODY.
    Breached contents The breach content of the incident for the current policy, up to 1024 characters, in the format of [content1;content2;…;contentX].
    Breached content trimmed True if the actual size of the previous filed is more than 1024 characters.