SIEM with Forcepoint Web Security, V8.5 and v8.5.3

The following diagram shows a possible configuration for SIEM integration till v8.5.3:

This deployment includes 2 Policy Server instances, each with its own Multiplexer instance.

There are 2 Filtering Service instances associated with Policy Server 1; both pass Internet activity data to Multiplexer 1.
Each Multiplexer instance passes the data that it receives from its associated Filtering Service instances to both Log Server and a third-party SIEM product.

The illustration shows 2 Forcepoint appliances and an additional server; all web protection components shown in the diagram could be deployed on a supported Windows or Linux server, or an appliance.

Data for each Policy Server (including those without a SIEM solution enabled) is sent to all SIEM solutions configured for other Policy Servers assigned to the same Policy Broker. This is true whether Policy Server was installed and assigned to a specific Policy Broker, or Policy Server was connected to a Policy Broker using the Settings > General > Policy Broker page of Security Manager.

Important: To avoid duplication of data when using the same SIEM solution for each Policy Server assigned to the same Policy Broker, make sure that the details entered on the Settings > General > SIEM Integration page match for each Policy Server. If IP address or hostname, Port, and SIEM format do not match, the SIEM integration is handled as a different SIEM solution.

If data that is sent to a specific SIEM solution should not be forwarded to other SIEM solutions, install a replica Policy Broker and associate the corresponding Policy Server to that replica.