Configuring how requests are logged

Use the Settings > General > Logging page to:

  • Provide the IP address and port that Filtering Service uses to send log records to Log Server.
  • (Hybrid Module for Forcepoint Web Security) Provide the port that Sync Service uses to send hybrid log records to Log Server.
  • Specify what client-identifying information, if any, Filtering Service sends to Log Server for use in reporting.
  • Determine which URL categories are logged for use in reporting and category usage alerting (see Configuring category usage alerts).

In an environment with multiple Policy Servers, configure the Logging page separately for each Policy Server instance. All Filtering Service instances associated with the active Policy Server send their log records to the Log Server identified on this page.

When working with multiple Policy Servers, note that:

  • Each Policy Server can communicate with a single Log Server instance.
  • For reporting data to display, there must be a Log Server associated with the base Policy Server (the Policy Server instance specified during installation, noted on the Settings > General > Policy Servers page).

    This is typically the Policy Server installed with Policy Broker (for example, the Policy Server on the full policy source appliance).

  • If the Log Server IP address and port are blank for any Policy Server, the Filtering Service instances associated with that Policy Server cannot log any traffic for reporting or alerts.
  • Information about whether or not user names and IP addresses are logged is stored centrally, so the same settings are used throughout your deployment.

    Likewise, any changes you make to how categories are logged are shared by all Filtering Service and Log Server instances.

If your environment includes both multiple Policy Servers and multiple Log Servers, make sure you log on to each Policy Server separately, and verify that it is communicating with the correct Log Server.

  1. Enter the Log Server IPv4 address or hostname.
  2. Enter the Port that Filtering Service uses to send log records to Log Server (55805, by default).
  3. (Hybrid Module for Forcepoint Web Security) Enter the port that Sync Service uses to send log records from the hybrid service to Log Server.
  4. Click Check Status to determine whether the Forcepoint Security Manager is able to communicate with Log Server using the specified location and port.

    A message indicates whether the connection test passed. Update the IP address or hostname and port, if needed, until the test is successful.

  5. Specify how much user data is stored in log records and displayed in reports:
    • To log identifying information for machines accessing the Internet, mark Log IP addresses.
    • To log identifying information for users accessing the Internet, mark Log user names.
      Note: If you do not log IP addresses or user names, there can be no user data in your reports. This is sometimes called anonymous logging.
    • If you are using Forcepoint Web Security, and want Threats dashboard tables to include source device name information, when available, click Log hostnames.

      Name information is available in threat-related logs only. It is not available for Internet activity to which no severity is assigned.

  6. Use the Selective Category Logging list to indicate any URL categories that should not be logged. Changes made here apply to all category filters in all active policies.
    Note:

    If you disable logging for categories that have usage alerts set up (see Configuring category usage alerts), no usage alerts can be sent.

    Reports cannot include information about categories that are not logged.

    Categories with “(Restricted)” next to the name were added using the Management API. See the Management API Guide for details.

    • Use the Find category search box to quickly jump to a specific category.
    • Expand parent categories as needed to change logging for subcategories.
    • Clear the check box next to a category name to stop logging the category.

      You must select or deselect each category separately. Selecting a parent category does not automatically select its subcategories. Use Select All and Clear All to assist with selections.

  7. Click OK to cache your changes. Changes are not implemented until you click Save and Deploy.