Troubleshooting Forcepoint FONE App in Splunk
After integrating Splunk application with Forcepoint ONE SSE using Forcepoint FONE App, you can troubleshoot issues if required.
How to check if the Forcepoint FONE App is configured properly and Forcepoint ONE SSE SWG logs are getting populated in Splunk?
- On the Web Analysis dashboard, make sure that graphs are displaying data for selected time period.
- Navigate to
Replace the
<Splunk Index>
with actual index in which data is stored.The event details should appear for selected time period.
and search for index="<Splunk Index>" | head 1.
What to do if you get “the app might not have been configured” on opening the Forcepoint FONE App?
You should configure the Forcepoint FONE App and then restart the Splunk to view SWG logs in Web Analysis dashboard.
- Navigate to Save.
Refer to step 7 in Integrating Splunk application with Forcepoint ONE SSE using Forcepoint FONE App to know the details of the form.
page, fill in the form details and click - To restart the Splunk, navigate to Restart Splunk and click OK. , click
What to do if Web Analysis dashboard is not showing any data?
There can be three scenarios for this issue:
Scenario 1
The Forcepoint FONE App is running fine and there is no new SWG log event data available in Forcepoint ONE SSE's AWS S3 data lake. In this case, you just have to wait for some time till new SWG log event data is generated.
Scenario 2
There is an issue with the configuration or proxy details provided during the setup of Forcepoint FONE App.
Check the latest connection status to Forcepoint ONE SSE SWG log source by either of the following ways:
- Navigate to and search for index="_internal" "Connected to log source" with a recent time filter (example: Last 24 hours).
- Login or ssh to the Splunk instance and run the following commands in the terminal noticing the timestamp in the
messages:
sudo su tail -c 35K /opt/splunk/var/log/splunk/splunkd.log | grep "Connected to log source"
Scenario 3
There is an issue with the Forcepoint FONE App other than configuration or proxy issue. In this case, enable the debugging mode in Forcepoint FONE App:
- Login or ssh to the Splunk instance.
- Run the following commands in the terminal:
sudo su cd /opt/splunk/etc/apps/fone/bin
- In the file named swg_log_exporter.py, replace the
"logging.basicConfig(level=logging.INFO, format='%(levelname)s - %(message)s')"
line with the"logging.basicConfig(level=logging.DEBUG, format='%(levelname)s - %(message)s')"
line using the Visual (Vi) Editor or similar. - Restart Splunk to reload the app.
- Collect debug logs by using either of the following methods:
- Navigate to , search for index="_internal" "swg_log_exporter" with a recent time filter (example: Last 24 hours) and click on the export icon to download the debug logs in CSV format.
- Login or ssh to the Splunk instance and run the following commands in the
terminal:
sudo su tail -c 35K /opt/splunk/var/log/splunk/splunkd.log | grep "swg_log_exporter" cat /opt/splunk/etc/apps/fone/local/state.db
Copy the contents of above two commands on to separate files and share those saved debug logs with Forcepoint support.