Mapping forwarded logs to Forcepoint ONE SSE fields

Once the collector is setup successfully, you need to map your log column attributes to Forcepoint ONE SSE attributes.

Steps

  1. Click the Mapping Config link to open a page where you can map your log column attributes to Forcepoint ONE SSE attributes.
  2. Select the applicable vendor for the firewall/proxy logs.

    For non-ASA logs, once the vendor is selected, a preview is available which are the latest 5 log lines received from the collector.

  3. Use the column attribute mapping table to map the columns from the preview to the associated attribute.
  4. Once the mapping is complete, the report will start to generate once Forcepoint ONE SSE starts receiving data.

    You will see your report in a pending state and this initial report generation typically takes about an hour depending on the amount and size of logs that need to be processed. After that, the report is updated hourly at the top of every hour.

    Reports will be on a 90 day sliding window meaning any logs older than 90 days will be automatically dropped.