Using Forcepoint storage
To get the formatted SIEM data to your network, you can either use the sample Perl script included in the zip file linked at the top of the SIEM integration page, or create a script of your own. The account used to run this script must have “Log Export” permissions (see Running the SIEM log file download script for Forcepoint storage for more information about using the script) but permission to log onto the portal is not required.
If you give this contact only the Log Export permission and nothing else, the user name and password cannot be used to log on to the cloud portal. Although log on permissions are not needed to run the script, the View Reports permission is the minimum permission a user needs to be able to log on.
Minimum permissions should be given to this user. The user password is needed to run the script and is viewable in plain text. For that reason, it is recommended that this user not be one with permissions to modify reports or account policies.
To download the sample script:
- Click the link in the introductory text on the SIEM Integration page.
- Save the file to a location of your choice and unzip it. It contains 4 files and provides all you need to run the script.
- A set of binary library files.
- Aconfiguration file that can be used to pass parameters to the script.Then, use the cfg file parameter when you execute the script. See Running the SIEM log file download script for
Forcepoint storage.
Note that adding parameters to the command line when executing the script will override the parameters in the config file.
- The default script file.
- a ReadMe file with details on how to handle the other files.
The set of library files and the script should always be kept together in the same folder. The configuation file can be located in a different folder, if necessary. The path to it can be included in the cfg file paramter.
The script can be run on Windows or Linux, and does the following:
- Connects to the cloud service using the URL specified in the script
- Optionally reports the log files available for download
- Downloads the available log files to a location of your choice, or by default to the directory where the script is located
- Optionally checks the MD5 hash of each downloaded file to verify the file’s integrity before deletion from the server
- Uses the HTTP DELETE method to exclude downloaded files from the list of files to be processed.
Whether they have been downloaded or not, files that are 14 days old are deleted.
Running the script on Windows requires a Perl distribution, which you can download from http://www.perl.org/get.html.
The script (par file) contains all of the necessary modules, but, should you need to install them manually, a list of the required modules is included in the ReadMe that is part of the zip file.
If you customize the sample script or choose to write your own script, you must always include the DELETE method to avoid listing the same files again and to remove the downloaded files from the server. This is because files are only retained for 14 days.
Optionally, you can use the Windows Scheduler or Linux cron and crontab commands to schedule the script to run at regular intervals. Use the infinite_loop option (see Running the SIEM log file download script for Forcepoint storage) to run the script as a backgroud process.
For information about using the sample script, see Running the SIEM log file download script for Forcepoint storage.