# Forcepoint NGFW (syslog)

In this guide, you'll set up a trusted relationship between Forcepoint NGFW and Radiant. Once complete, Radiant will collect and analyze alerts and events from your Forcepoint NGFW environment.

Log entries are traffic-based events that are logged according to policy rules. An audit log entry is a special type of log entry that is not traffic-based, but instead provides a record of SMC administrative actions and some internal events like element updates and scheduled task executions.

### Prerequisites

* [ ] Admin access to Forcepoint SMC
* [ ] At least *one* running SMC Log Server

### Add the data connector in Radiant Security

1. Log in to [Radiant Security](https://app.radiantsecurity.ai/).
2. From the navigation menu, click **Settings** > **Data Connectors** and click **+ Add Connector**.
3. Search for and select the **Radiant Agent** option from the list and then click **Data Feeds**.
4. Under **Select your data feeds**, select **Forcepoint NGFW** and click **Credentials**.
5. Under **Credential Name**, give the Radiant Agent integration an identifiable name (e.g. `Radiant Agent Integration`).
6. Click **Add Connector**.

### Configure a Radiant Agent for Log Collection

Refer to the [Install the Radiant Security Agent](https://help.radiantsecurity.ai/radiant-connectors/data-connectors/install-the-radiant-security-agent) guide to set up a local agent to collect the logs.

### Configure log forwarding in Forcepoint SMC

1. Sign in to your Forcepoint SMC.
2. Click **Home**.
3. Click **Others** > **Log Server**.
4. Right-click the log server that you want to forward logs from, and then select **Properties**.

{% hint style="info" %}
**Note**: One Log Server element is automatically created during SMC installation. Repeat the following steps for *all* Log Servers.
{% endhint %}

5. Click the **Log Forwarding** tab.
6. Click **Add** and enter the following:
   * **Service**: `UDP`
   * **Port**: `<port_configured_to_receive_forcepoint_ngfw>`
   * **Format**: select **JSON**
   * **Data Type**: select **All Log Data**
7. Double-click the **Target Host** cell to open the **Select Host** dialog box.

   1. Click the **Settings** icon > **New** > **Host.**

   b. Enter `Radiant-Security-Syslog`

   c. Select the **IP** field and enter `<Radiant Agent's local IP>`
8. Click **OK.**
9. Select the new host and click **Select.**
10. On the **Log Server TLS Certificate** box, select **No client Authentication**.
11. Click **OK**.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.radiantsecurity.ai/radiant-connectors/data-connectors/forcepoint-ngfw-syslog.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.