Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Forcepoint V-Series Content Gateway

The Forcepoint V-Series Content Gateway DSM for JSA supports events for web content on Forcepoint V-Series appliances with the Content Gateway software.

The Forcepoint V-Series Content Gateway DSM accepts events using syslog to stream events or by using the log file protocol to provide events to JSA. Before you can integrate your appliance with JSA, you must select one of the following configuration methods:

Configure Syslog for Forcepoint V-Series Content Gateway

The Forcepoint V-Series DSM supports Forcepoint V-Series appliances that run the Forcepoint Content Gateway on Linux software installations.

Before you configure JSA, you must configure the Forcepoint Content Gateway to provide LEEF formatted syslog events.

Configuring the Management Console for Forcepoint V-Series Content Gateway

You can configure event logging in the Content Gateway Manager.

  1. Log into your Forcepoint Content Gateway Manager.

  2. Click the Configure tab.

  3. Select Subsystems >Logging.

    The General Logging Configuration window is displayed.

  4. Select Log Transactions and Errors.

  5. Select Log Directory to specify the directory path of the stored event log files.

    The directory that you define must exist and the Forcepoint user must have read and write permissions for the specified directory.

    The default directory is /opt/WGC/logs.

  6. Click Apply.

  7. Click the Custom tab.

  8. In the Custom Log File Definitions window, type the following text for the LEEF format.

    Note:

    The fields in the LEEF format string are tab separated. You might be required to type the LEEF format in a text editor and then cut and paste it into your web browser to retain the tab separations. The definitions file ignores extra white space, blank lines, and all comments.

  9. Select Enabled to enable the custom logging definition.

  10. Click Apply.

You can now enable event logging for your Forcepoint Content Gateway.

Enabling Event Logging for Forcepoint V-Series Content Gateway

If you are using a Forcepoint V-Series appliance, contact Forcepoint Technical Support to enable this feature.

  1. Log in to the command-line Interface (CLI) of the server running Forcepoint Content Gateway.

  2. Add the following lines to the end of the /etc/rc.local file:

    Where <IP Address> is the IP address for JSA.

  3. To start logging immediately, type the following command:

    Note:

    You might need to type the logging command in Enabling Event Logging for Forcepoint V-Series Content Gateway or copy the command to a text editor to interpret the quotation marks.

    The configuration is complete. The log source is added to JSA as syslog events from Forcepoint V-Series Content Gateway are automatically discovered. Events forwarded by Forcepoint V-Series Content Gateway are displayed on the Log Activity tab of JSA.

Syslog Log Source Parameters for Forcepoint V-Series Content Gateway

If JSA does not automatically detect the log source, add a Forcepoint V-Series Content Gateway log source on the JSA Console by using the syslog protocol.

When using the syslog protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect syslog events from Forcepoint V-Series Content Gateway:

Table 1: Syslog Log Source Parameters for the Forcepoint V-Series Content Gateway DSM

Parameter

Value

Log Source Name

Type a name for your log source.

Log Source Description

Type a description for the log source.

Log Source type

Forcepoint V Series

Protocol Configuration

Syslog

Log Source Identifier

Type the IP address or host name for the log source as an identifier for events from your Forcepoint V-Series Content Gateway appliance.

Log File Protocol for Forcepoint V-Series Content Gateway

The log file protocol allows JSA to retrieve archived log files from a remote host.

The Forcepoint V-Series DSM supports the bulk loading of log files from your Forcepoint V-Series Content Gateway using the log file protocol to provide events on a scheduled interval. The log files contain transaction and error events for your Forcepoint V-Series Content Gateway:

Configuring the Content Management Console for Forcepoint V-Series Content Gateway

Configure event logging in the Content Management Console.

  1. Log into your Forcepoint Content Gateway interface.

  2. Click the Configure tab.

  3. Select Subsystems >Logging.

  4. Select Log Transactions and Errors.

  5. Select Log Directory to specify the directory path of the stored event log files.

    The directory you define must already exist and the Forcepoint user must have read and write permissions for the specified directory.

    The default directory is /opt/WGC/logs.

  6. Click Apply.

  7. Click the Formats tab.

  8. Select Netscape Extended Format as your format type.

  9. Click Apply.

You can now enable event logging for your Forcepoint V-Series Content Gateway.

Log File Log Source Parameters for Forcepoint V-Series Content Gateway

If JSA does not automatically detect the log source, add a Forcepoint V-Series Content Gateway log source on the JSA Console by using the Log File protocol.

When using the Log File protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect Log File events from Forcepoint V-Series Content Gateway:

Table 2: Log File Log Source Parameters for the Forcepoint V-Series Content Gateway DSM

Parameter

Value

Log Source type

Forcepoint V Series

Protocol Configuration

Log File

Log Source Identifier

Type the IP address or host name for the log source as an identifier for events from your Forcepoint V-Series Content Gateway devices.

Service Type

Secure File Transfer Protocol (SFTP)

FTP File Pattern

extended.log_.*.old

Remote Directory

/opt/WCG/logs

Event Generator

LINEBYLINE

Forcepoint V-Series Content Gateway Sample Event Messages

Use these sample event messages to verify a successful integration with JSA.

Note:

Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

Forcepoint V-Series Content Gateway Sample Messages when you use the Syslog Protocol

Sample 1: The following sample event message shows that access is blocked by websense.

Table 3: Highlighted Values in the Forcepoint V-Series Content Gateway Event Payload

JSA field name

Highlighted values in the event payload

Event ID

disposition

Category

cat

Source IP

src

Source Port

srcPort

Destination IP

dst

Destination Port

dstPort

Username

usrName

Sample 2: The following sample event message shows that access is permitted by websense.

Table 4: Highlighted Values in the Forcepoint V-Series Content Gateway Event Payload

JSA field name

Highlighted

Event ID

disposition

Category

cat

Source IP

src

Source Port

srcPort

Destination IP

dst

Destination Port

dstPort

Username

usrName