SIEM integration formats

Enabling SIEM integration in Forcepoint Email Security allows log data to be saved to the SIEM server using several predefined formats: syslog/common event format (CEF) (for ArcSight), syslog/key-value pairs (Splunk), and syslog log event extended format (LEEF) (QRadar).

The following should be considered when working with CEF and LEEF formats, which use UTF-8 character encoding:

• Spaces used in header fields or extension values are valid. The encoding <space> is not used.
• A vertical bar, or pipe, (|) used in a CEF header must be escaped with a backslash (\). However, a vertical bar in an extension section does not need an escape character.
• A backslash (\) used in the header or the extension must be escaped with a second backslash (\).
• An equals sign (=) used in an extension must be escaped with a backslash (\). Equals signs in the header do not need an escape character.
• Multi-line fields can be sent by CEF by encoding the newline character \n or \r. Multiple lines are allowed only in the value part of the key-value extensions.