Troubleshooting Forcepoint FONE App in Splunk

After integrating Splunk application with Forcepoint ONE SSE using Forcepoint FONE App, you can troubleshoot issues if required.

How to check if the Forcepoint FONE App is configured properly and Forcepoint ONE SSE SWG logs are getting populated in Splunk?

You can verify by either of the following ways to confirm if the Forcepoint FONE App is configured properly and Forcepoint ONE SSE SWG logs are getting populated in Splunk:
  • On the Web Analysis dashboard, make sure that graphs are displaying data for selected time period.
  • Navigate to Apps > Search & Reporting and search for index="<Splunk Index>" | head 1.

    Replace the <Splunk Index> with actual index in which data is stored.

    The event details should appear for selected time period.

What to do if you get “the app might not have been configured” on opening the Forcepoint FONE App?

You should configure the Forcepoint FONE App and then restart the Splunk to view SWG logs in Web Analysis dashboard.

  1. Navigate to Manage Apps > Forcepoint FONE App > Set up page, fill in the form details and click Save.

    Refer to step 7 in Integrating Splunk application with Forcepoint ONE SSE using Forcepoint FONE App to know the details of the form.

  2. To restart the Splunk, navigate to Setting > Server controls, click Restart Splunk and click OK.

What to do if Web Analysis dashboard is not showing any data?

There can be three scenarios for this issue:

Scenario 1

The Forcepoint FONE App is running fine and there is no new SWG log event data available in Forcepoint ONE SSE's AWS S3 data lake. In this case, you just have to wait for some time till new SWG log event data is generated.

Scenario 2

There is an issue with the configuration or proxy details provided during the setup of Forcepoint FONE App.

Check the latest connection status to Forcepoint ONE SSE SWG log source by either of the following ways:

  • Navigate to Apps > Search & Reporting and search for index="_internal" "Connected to log source" with a recent time filter (example: Last 24 hours).
  • Login or ssh to the Splunk instance and run the following commands in the terminal noticing the timestamp in the messages:
    sudo su
    tail -c 35K /opt/splunk/var/log/splunk/splunkd.log | grep "Connected to log source"

Scenario 3

There is an issue with the Forcepoint FONE App other than configuration or proxy issue. In this case, enable the debugging mode in Forcepoint FONE App:

  1. Login or ssh to the Splunk instance.
  2. Run the following commands in the terminal:
    sudo su
    cd /opt/splunk/etc/apps/fone/bin
  3. In the file named swg_log_exporter.py, replace the "logging.basicConfig(level=logging.INFO, format='%(levelname)s - %(message)s')" line with the "logging.basicConfig(level=logging.DEBUG, format='%(levelname)s - %(message)s')" line using the Visual (Vi) Editor or similar.
  4. Restart Splunk to reload the app.
  5. Collect debug logs by using either of the following methods:
    • Navigate to Apps > Search & Reporting, search for index="_internal" "swg_log_exporter" with a recent time filter (example: Last 24 hours) and click on the export icon to download the debug logs in CSV format.
    • Login or ssh to the Splunk instance and run the following commands in the terminal:
      sudo su
      tail -c 35K /opt/splunk/var/log/splunk/splunkd.log | grep "swg_log_exporter"
      cat /opt/splunk/etc/apps/fone/local/state.db

      Copy the contents of above two commands on to separate files and share those saved debug logs with Forcepoint support.