Exporting Logs to AWS S3 Bucket
Forcepoint ONE SSE provides an option to export the Web, Web DLP, and Agent ZTNA logs specific to your tenant from the Forcepoint ONE SSE data lake onto your own AWS S3 bucket using Amazon S3 Access points. The customer logs are replaced every month.
Amazon S3 Access Points are unique hostnames that data owners (in this case, Forcepoint) create to enforce distinct permissions and network controls for any request made through access points. To understand Amazon S3 Access Points in detail, refer to Amazon S3 Access Points.
To create Access Point, you need to only provide your AWS Account ID used to access the access point. The access policy will be set only to allow viewing of the logs.
To delete Access Point for your tenant, contact Forcepoint Customer Support.
Creating Access Point
Follow the steps below to create access point in Forcepoint ONE SSE:
- On Forcepoint ONE SSE, navigate to the page.
- Under the Logs section, select the Create Access point on AWS to read logs checkbox to create Access point.
By default, the Create Access point on AWS to read logs checkbox is unselected.
- In Customer AWS Account ID, enter your AWS account ID, to which you want to export logs.
- To create an access point in Forcepoint ONE SSE data lake for entered Customer AWS Account ID, click Save.
- On clicking Save, if access point is created successfully, the following fields appear under the Customer Access Point section which are needed
while configuring your AWS account:
- Access Point Name - Displays name of the access point.
- FONE AWS Account ID - Displays the Forcepoint ONE SSE' AWS Account ID.
- Customer AWS Account ID - Displays your AWS Account ID that you have entered.
- Access Point URI - Displays access point URI, using which you can access logs from the Forcepoint ONE SSE AWS S3 bucket.
- Access Point ARN - Displays the access point ARN.
Configuring your AWS Account
After creating Access Point for your AWS account in Forcepoint ONE SSE, follow the steps below to setup your AWS account using the information from Forcepoint ONE SSE to export your tenant logs to your own AWS S3 bucket:
- Login to your Amazon AWS account as admin.
- Assign the following IAM permission to user in order to grant the access to the access point created under the Customer Access Point section in Forcepoint ONE SSE.
Sample of the permission policy to grant access to access point:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetObject" ], "Resource": "*" } ] }
Downloading tenant logs
--request-payer
option.Once Admin have assigned the above permission policy to IAM user, the IAM User will be able to download tenant logs via AWS CLI or CloudShell using their specific access point URI using the following command:
aws s3 cp <access-point-uri>/<any-prefix>/ . --recursive --request-payer
You can use the following command to view objects/folders:
aws s3 ls <access-point-uri>/<any-prefix>/ --request-payer
Replace the <access-point-uri>
with the Access Point URI from the Customer Access Point section on Forcepoint ONE SSE.
Integrating with Splunk
Forcepoint provides a Splunk app on Splunkbase for easily integrating with Forcepoint ONE SSE's AWS S3 data lake for pulling Forcepoint ONE SSE SWG Web raw logs for Allowed, Denied, Process via Cloud and Isolated actions. To know the procedure in detail, refer to Integrating Splunk application with Forcepoint ONE SSE using Forcepoint FONE App.