Troubleshooting SIEM logging using Forcepoint storage
Your download script attempts to connect to the cloud service to download SIEM logs at an interval that you configure. If your script is unable to make the connection, or if it is unable to
retrieve the log files after connecting, the following problems may occur:
- The cloud service stores log files for only 14 days. After that period, the files are deleted, and cannot be recovered. When this occurs, your organization is no longer able to access and analyze web activity recorded in those logs.
- Depending on the volume of Internet activity that your organization sends through the cloud service, log files may grow quickly. If your script is unable to download log files for a day or more, the bandwidth required to download the files and the disk space required to store them may be substantial.
To address this issue:
- Check that your scheduling service (Windows Task Scheduler, or crontab on Linux) is running. If you are using Windows Task Scheduler, check that it is using your most recent network password to run the task.
- Your script may be prevented from accessing the cloud service due to network problems, either affecting Internet or internal network connections. Use a browser or the ping utility to verify that the machine running the script can connect to the Internet.
- If the script is connecting to the cloud service but cannot retrieve log records, verify that there is not a problem with the cloud service. Check the administrative email address associated with your SIEM logging account.
- Check that your cloud service password has not expired.
If you do not download logs for a period of 7 days, an email is sent to all administrative contacts with Log Export permission enabled, and all policy administrators where full traffic logging is enabled for the policy, notifying them that data has not yet been downloaded. At 13 days, a different email warns that data may be lost; it is deleted at 14 days. Further notifications are sent after 21 days to warn that the process will be disabled if not used. After 30 days you will be notified that SIEM logging has been deactivated and reporting logs are no longer being generated for your account.