SIEM with Forcepoint Web Security, v8.5.4 and v8.5.5

The following diagram shows a possible configuration for SIEM integration from v8.5.4 onwards:

In a basic configuration of SIEM integration for v8.5.4 and v8.5.5, data for each Policy Server is sent to each of the SIEM solutions configured in the Internet Activity Log Data section of Web > Settings > General > SIEM Integration. Data is not also sent to SIEM integrations configured for associated Policy Servers. To send data from multiple Policy Servers to the same SIEM integration, each Policy Server must be configured to use the same SIEM solution or solutions.

The Audit Log Data section is available for the primary Policy Server and, when Enable SIEM integration for audit log data for this Policy Server is selected, data viewable on Web > Status > Audit Log showing which administrators have accessed the Forcepoint Security Manager, as well as any changes made to policies and settings, is forwarded to the configured SIEM integration. Note that this feature is available only for the primary Policy Server and does not appear if you switch to a secondary Policy Server.