Forcepoint NGFW (syslog)

Configure Forcepoint NGFW Security Management Center (SMC) for syslog forwarding to Radiant Security.

In this guide, you'll set up a trusted relationship between Forcepoint NGFW and Radiant. Once complete, Radiant will collect and analyze alerts and events from your Forcepoint NGFW environment.

Log entries are traffic-based events that are logged according to policy rules. An audit log entry is a special type of log entry that is not traffic-based, but instead provides a record of SMC administrative actions and some internal events like element updates and scheduled task executions.

Prerequisites

Add the data connector in Radiant Security

  1. Log in to Radiant Security.

  2. From the navigation menu, click Settings > Data Connectors and click + Add Connector.

  3. Search for and select the Forcepoint NGFW (syslog) option from the list and then click Data Feeds.

  4. Under Select your data feeds, select Forcepoint NGFW and click Credentials.

  5. Under Credential Name, give the credential an identifiable name (e.g. Forcepoint NGFW Credentials).

  6. Under Required Credentials, in the Connector tag field enter a value. This value will act as the salt to randomize the unique Token you’ll download in the next step.

  7. Click Add Connector.

  8. Copy and save the connector Token value using the clipboard option or download the Token file. You will need this token to complete the configuration.

  9. Click Done to save your changes.

Configure a Radiant Agent for Log Collection

Refer to the Install the Radiant Security Agent guide to set up a local agent to collect the logs.

Configure log forwarding in Forcepoint SMC

  1. Sign in to your Forcepoint SMC.

  2. Click Home.

  3. Click Others > Log Server.

  4. Right-click the log server that you want to forward logs from, and then select Properties.

Note: One Log Server element is automatically created during SMC installation. Repeat the following steps for all Log Servers.

  1. Click the Log Forwarding tab.

  2. Click Add and enter the following:

    • Service: UDP

    • Port: 514

    • Format: select JSON

    • Data Type: select All Log Data

  3. Double-click the Target Host cell to open the Select Host dialog box.

    1. Click the Settings icon > New > Host.

    b. Enter Radiant-Security-Syslog

    c. Select the IP field and enter <Radiant Agent's local IP>

  4. Click OK.

  5. Select the new host and click Select.

  6. On the Log Server TLS Certificate box, select No client Authentication.

  7. Click OK.

PreviousElastic SIEM (webhook)NextForcepoint ONE SSE

Last updated