Before you begin
Log on to the Web Security module of the Forcepoint Security Manager and navigate to to activate and configure SIEM integration.
Perform this procedure for each Policy Server instance in your deployment.
In the Internet Activity Log Data section (titled in v8.5.3):
Steps
-
For 8.5.4 and v8.5.5: Click Add to open a new window where you will continue configuring your SIEM integration.
For v8.5 and v8.5.3: Select Enable SIEM integration for Internet activity log data for this Policy Server (in v8.5, select Enable SIEM integration for this Policy
Server) to turn on the SIEM integration feature. Follow these steps for each Policy Server instance in your deployment to pass log data to a third-party SIEM
product.
-
Provide the IP address or hostname of the machine hosting the SIEM product. Then, provide the communication Port to use for sending SIEM data.
-
Specify the Transport protocol (UDP or TCP) to use when sending data to the SIEM product.
-
Select the SIEM format to use. This determines the syntax of the string used to pass log data to the integration.
- The available formats are syslog/CEF (ArcSight), syslog/key-value pairs (Splunk and others), syslog/LEEF (QRadar), and Custom.
- If you select Custom, a text box is displayed. Enter or paste the string that you want to use. Click View SIEM format strings for a set of sample
strings to use as a reference or template.
- If you select a non-custom option, a sample Format string showing fields and value keys is displayed.
See Working with SIEM integration format strings, for more information about format strings and the data included in records sent to the integration.
-
Click OK to cache your changes. Changes are not implemented until you click Save and Deploy.
Next steps
After the changes have been saved, Multiplexer distributes the log data it receives from Filtering service to both Log Server and the selected SIEM integration.