Forcepoint V-Series Data Security Suite
Configuring Syslog for Forcepoint V-Series Data Security Suite
The Forcepoint V-Series Data Security Suite DSM accepts events using syslog. Before you can integrate JSA you, must enable the Forcepoint V-Series appliance to forward syslog events in the Data Security Suite (DSS) Management Console.
Select Policies >Policy Components >Notification Templates.
Select an existing Notification Template or create a new template.
Click the General tab.
Click Send Syslog Message.
Select Options >Settings >Syslog to access the Syslog window.
The syslog window enables administrators to define the IP address/host name and port number of the syslog in their organization. The defined syslog receives incident messages from the Forcepoint Data Security Suite DSS Manager.
The syslog is composed of the following fields:
DSS Incident|ID={value}|action={display value - max}| urgency= {coded}| policy categories={values,,,}|source={value-display name}| destinations={values...}|channel={display name}| matches= {value}|detaills={value}Max length for policy categories is 200 characters.
Max length for destinations is 200 characters.
Details and source are reduced to 30 characters.
Click Test Connection to verify that your syslog is accessible.
You can now configure the log source in JSA. The configuration is complete. The log source is added to JSA as OSSEC events are automatically discovered. Events that are forwarded to JSA by OSSEC are displayed on the Log Activity tab of JSA.
Syslog Log Source Parameters for Forcepoint V-Series Data Security Suite
If JSA does not automatically detect the log source, add a Forcepoint V-Series Data Security Suite log source on the JSA Console by using the syslog protocol.
When using the syslog protocol, there are specific parameters that you must use.
The following table describes the parameters that require specific values to collect syslog events from Forcepoint V-Series Data Security Suite:
Parameter |
Value |
|---|---|
Log Source Name |
Type a name for your log source. |
Log Source Description |
Type a description for the log source. |
Log Source type |
Forcepoint V Series |
Protocol Configuration |
Syslog |
Log Source Identifier |
Type the IP address or host name for the log source as an identifier for events from your Forcepoint V-Series Data Security Suite DSM. |
Forcepoint V-Series Data Security Suite Sample Event Message
Use this sample event message to verify a successful integration with JSA.
Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.
Forcepoint V-Series Data Security Suite sample message when you use the Syslog protocol
The following sample event message shows that a protected cloud app request was forwarded.
<159>Jul 21 14:38:55 forcepoint.vseries.test LEEF:1.0|Forcepoint|Security|8.5.0| transaction:permitted|sev=1 cat=147 usrName=- loginID=- src=10.104.165.142 srcPort=54983 srcBytes=1773 dstBytes=1819 dst=172.16.9.3 dstPort=443 proxyStatuscode= 200 serverStatus-code=200 duration=152 method=POST disposition=1069 contentType=text/xml; charset\=UTF-8 reason=- policy=- role=8 userAgent=Google Update/1.3.35.452;winhttp;cup-ecdsa url=https://update.domain.test/service/update2? cup2key\=10:1538947168&cup2hreq\=c1111111ce111111111111e1a111c1111d1ca111f11a1cf1efbb11b1111111a 1 logRecordSource=OnPrem
JSA field name |
Highlighted values in the event payload |
|---|---|
Event ID |
The Event ID is mapped from the disposition value of 1069 . |
Event Category |
The Event Category is mapped from the cat value of 147. |
Source IP |
10.104.165.142 |
Source Port |
54983 |
Destination IP |
172.16.9.3 |
Destination Port |
443 |
Severity |
1 |
Device Time |
Jul 21 14:38:55 |