# Forcepoint NGFW (syslog)

In this guide, you'll set up a trusted relationship between Forcepoint NGFW and Radiant. Once complete, Radiant will collect and analyze alerts and events from your Forcepoint NGFW environment.

Log entries are traffic-based events that are logged according to policy rules. An audit log entry is a special type of log entry that is not traffic-based, but instead provides a record of SMC administrative actions and some internal events like element updates and scheduled task executions.

### Prerequisites

* [ ] Admin access to Forcepoint SMC
* [ ] At least *one* running SMC Log Server

### Add the data connector in Radiant Security

1. Log in to [Radiant Security](https://app.radiantsecurity.ai/).
2. From the navigation menu, click **Settings** > **Data Connectors** and click **+ Add Connector**.
3. Search for and select the **Radiant Agent** option from the list and then click **Data Feeds**.
4. Under **Select your data feeds**, select **Forcepoint NGFW** and click **Credentials**.
5. Under **Credential Name**, give the Radiant Agent integration an identifiable name (e.g. `Radiant Agent Integration`).
6. Click **Add Connector**.

### Configure a Radiant Agent for Log Collection

Refer to the [Install the Radiant Security Agent](https://help.radiantsecurity.ai/radiant-connectors/data-connectors/install-the-radiant-security-agent) guide to set up a local agent to collect the logs.

### Configure log forwarding in Forcepoint SMC

1. Sign in to your Forcepoint SMC.
2. Click **Home**.
3. Click **Others** > **Log Server**.
4. Right-click the log server that you want to forward logs from, and then select **Properties**.

{% hint style="info" %}
**Note**: One Log Server element is automatically created during SMC installation. Repeat the following steps for *all* Log Servers.
{% endhint %}

5. Click the **Log Forwarding** tab.
6. Click **Add** and enter the following:
   * **Service**: `UDP`
   * **Port**: `<port_configured_to_receive_forcepoint_ngfw>`
   * **Format**: select **JSON**
   * **Data Type**: select **All Log Data**
7. Double-click the **Target Host** cell to open the **Select Host** dialog box.

   1. Click the **Settings** icon > **New** > **Host.**

   b. Enter `Radiant-Security-Syslog`

   c. Select the **IP** field and enter `<Radiant Agent's local IP>`
8. Click **OK.**
9. Select the new host and click **Select.**
10. On the **Log Server TLS Certificate** box, select **No client Authentication**.
11. Click **OK**.