SIEM Connector is not running
The SIEM Connector forwards data to a third-party SIEM integration and logs data in SIEM logs.
No data can be forwarded to a third-party SIEM server when the Connector is stopped. Data logged while the Connector is stopped does not appear in SIEM logs.
On Linux, data is retained for 1 week or until it reaches a maximum size of 8 GB, whichever happens first, and is forwarded when SIEM Connector starts again. In a Windows deployment, there are no size or time limits. All data is forwarded when the SIEM Connector restarts.
To address this issue:
- Windows: Use the Windows Services tool to start Websense SIEM Connector.
- Linux: Use the /opt/Websense/WebsenseDaemonControl command to start SIEM Connector.
- On an appliance: Use the CLI command to start SIEM Connector. See the Forcepoint Appliances CLI Guide.