Troubleshooting Forcepoint ONE App in QRadar
After integrating QRadar application with Forcepoint Data Security Cloud | SSE using Forcepoint ONE application, you can troubleshoot issues if any.
How to check if the Forcepoint ONE app is configured properly and Forcepoint Data Security Cloud | SSE SWG logs are getting populated in QRadar?
- On the Web Analysis dashboard, make sure that graphs are displaying data for selected time period.
- Navigate to Log Activity and do an advanced search for SELECT "startTime", QIDNAME (qid), UTF8(payload) FROM events WHERE (QIDNAME (qid) ILIKE '%FONE
SWGWEB%') order by "startTime" DESC LIMIT 1000 LAST 7 DAYS.
The event details should appear for selected time period.
What to do if Web Analysis dashboard is not showing any data?
There can be three scenarios for this issue:
Scenario 1
The Forcepoint ONE App is running fine and there is no new SWG log event data available in Forcepoint Data Security Cloud | SSE's AWS S3 data lake. In this case, you just have to wait for some time till new SWG log event data is generated.
Scenario 2
There could be an issue with the configuration or proxy details provided during the setup of Forcepoint ONE App.
- Navigate to Admin tab and expand the Apps drop-down from the left column.
- Select Forcepoint ONE App Log Configuration and then click on the Configuration option on the right screen.
- On the Configuration page, fill in the form details if not filled and click Save.
Refer to step 10 in Integrating QRadar application with Forcepoint Data Security Cloud | SSE using Forcepoint Data Security Cloud application to know the details of the form.
Give it about 30 minutes for logs to be pulled after receiving a success message.
Scenario 3
There could be an issue with the Forcepoint ONE App other than configuration or proxy issue. In this case, enable the debugging mode in Forcepoint ONE App:
- Login or ssh to the QRadar instance.
- Run the following commands in the terminal:
sudo -s docker ps cd /opt/app-root/app/
- In the file named swg_log_exporter.py, replace the
logging.basicConfig(level=logging.INFO, format='%(levelname)s - %(message)s')
line with thelogging.basicConfig(level=logging.DEBUG, format='%(levelname)s - %(message)s')
line using the Visual (Vi) Editor or similar.Docker should be pulling debug logs.
How to save the log files to capture the problem?
- Login or ssh to the QRadar instance.
- Run the following commands in the terminal:
sudo -s docker ps
- Find the container ID in the list by matching the application ID displayed in the URL of the application window.
- Run the following
commands:
docker cp <container_id>:/opt/app-root/store/log/startup.log /home/user/logs/ docker cp <container_id>:/opt/app-root/store/log/app.log /home/user/logs/
- Exit the container.
exit
- Run the following command to capture an additional log file.
tail -c 30K /var/log/qradar.log