Troubleshooting Forcepoint ONE App in QRadar

After integrating QRadar application with Forcepoint Data Security Cloud | SSE using Forcepoint ONE application, you can troubleshoot issues if any.

How to check if the Forcepoint ONE app is configured properly and Forcepoint Data Security Cloud | SSE SWG logs are getting populated in QRadar?

You can verify by either of the following ways to confirm if the Forcepoint ONE App is configured properly and Forcepoint Data Security Cloud | SSE SWG logs are getting populated in QRadar:
  • On the Web Analysis dashboard, make sure that graphs are displaying data for selected time period.
  • Navigate to Log Activity and do an advanced search for SELECT "startTime", QIDNAME (qid), UTF8(payload) FROM events WHERE (QIDNAME (qid) ILIKE '%FONE SWGWEB%') order by "startTime" DESC LIMIT 1000 LAST 7 DAYS.

    The event details should appear for selected time period.

What to do if Web Analysis dashboard is not showing any data?

There can be three scenarios for this issue:

Scenario 1

The Forcepoint ONE App is running fine and there is no new SWG log event data available in Forcepoint Data Security Cloud | SSE's AWS S3 data lake. In this case, you just have to wait for some time till new SWG log event data is generated.

Scenario 2

There could be an issue with the configuration or proxy details provided during the setup of Forcepoint ONE App.

  1. Navigate to Admin tab and expand the Apps drop-down from the left column.
  2. Select Forcepoint ONE App Log Configuration and then click on the Configuration option on the right screen.
  3. On the Configuration page, fill in the form details if not filled and click Save.

    Refer to step 10 in Integrating QRadar application with Forcepoint Data Security Cloud | SSE using Forcepoint Data Security Cloud application to know the details of the form.

    Give it about 30 minutes for logs to be pulled after receiving a success message.

Scenario 3

There could be an issue with the Forcepoint ONE App other than configuration or proxy issue. In this case, enable the debugging mode in Forcepoint ONE App:

  1. Login or ssh to the QRadar instance.
  2. Run the following commands in the terminal:
    sudo -s
docker ps
cd /opt/app-root/app/
  3. In the file named swg_log_exporter.py, replace the logging.basicConfig(level=logging.INFO, format='%(levelname)s - %(message)s') line with the logging.basicConfig(level=logging.DEBUG, format='%(levelname)s - %(message)s') line using the Visual (Vi) Editor or similar.

    Docker should be pulling debug logs.

How to save the log files to capture the problem?

  1. Login or ssh to the QRadar instance.
  2. Run the following commands in the terminal:
    sudo -s
docker ps
  3. Find the container ID in the list by matching the application ID displayed in the URL of the application window.
  4. Run the following commands:
    docker cp <container_id>:/opt/app-root/store/log/startup.log /home/user/logs/
docker cp <container_id>:/opt/app-root/store/log/app.log /home/user/logs/
  5. Exit the container.
    exit
  6. Run the following command to capture an additional log file.
    tail -c 30K /var/log/qradar.log