Enable SIEM logging

Use the Account > SIEM Storage page of the cloud portal to configure the storage options for SIEM output generated on the Reporting > Account Reports > SIEM Integration page. See Configuring SIEM Storage for details.

The Reporting > Account Reports > SIEM Integration page is used to format reporting data for use by a third-party SIEM tool and enable the generation of the log files.

Note:

The option to export data cannot be set to ON unless a valid storage option has been configured on Account > SIEM Storage.

The option is automatically set to OFF if:

Forcepoint storage is enabled but no logs have been downloaded for 30 days.
Bring your own storage is enabled but no SIEM data could be forwarded to the active bucket for 14 days.

Multiple emails are sent prior to disabling the export option.

See Exporting data to a third-party SIEM tool in Help for details on formatting the data.

Using Bring your own storage

The output generated by the export process is forwarded to the active AWS S3 bucket listed on the SIEM Storage page. Files are assigned names using the format web|email_<accountid>_<timestamp>_<server>_<timestamp>.csv.gz, and will use any prefix values defined for the bucket.

Using Forcepoint storage

To get the formatted SIEM data to your network when Forcepoint storage has been selected as the Storage type on the SIEM Storage page, you can either use the sample Perl script included in the zip file linked at the top of the SIEM integration page, or create a script of your own. The account used to run this script is the one created in Create a new administrator contact for Forcepoint storage.

See Running the SIEM log file download script for Forcepoint Storage in Help for details on formatting the data and downloading and using the script.