Perform these steps in the Audit Log Data section for the primary Policy Server in your deployment to pass audit log data to a third-party SIEM product. (See
Viewing and exporting the audit log for more information about the audit log.)
Steps
-
Check Enable SIEM integration for audit log data for this Policy Server to enable the feature.
Note that this feature is available only for the primary Policy Server and does not appear if you switch to a secondary Policy Server.
-
Provide the IP address or hostname of the machine hosting the SIEM product, as well as the communication Port to use for sending the audit log
data.
-
Specify the Transport protocol (UDP or TCP) to use when sending audit log data to the SIEM product.
-
Select the SIEM format to use. This determines the syntax of the string used to pass audit log data to the integration.
- If you select Custom, enter or paste the string that you want to use in the text box that displays. Click View SIEM format strings for samples to use
as a reference.
- If you select a non-custom format, a sample Format string displays.
-
Click OK to cache your changes. Changes are not implemented until you click Save and Deploy.
When you save your changes, records written to the audit log are forwarded to the SIEM solution.
For more detailed information about the data passed to the SIEM integration, see Integrating web protection solutions with third-party SIEM products. Subsections of the linked
document provide mapping information for category numbers, disposition codes, reason strings, and other information included in the SIEM output.