Security Information Event Management 3
Policy Broker, or Policy Server was connected to a Policy Broker using the Settings >
General > Policy Broker page of Security Manager.
Important
To avoid duplication of data when using the same SIEM
solution for each Policy Server assigned to the same Policy
Broker, make sure that the details entered on the
Settings > General > SIEM Integration page matc
h for
each Policy Server. If IP address or hostname, Port, and
SIEM format do not match, the SIEM integration is
handled as a different SIEM solution.
If data that is sent to a specific
SIEM solution should not be forwarded to other SIEM
solutions, install a replica Policy Broker and associate the corresponding Policy
Server to that replica.
SIEM with Forcepoint Web Security, v8.5.4 and v8.5.5
In a basic configuration of SIEM integration for v8.5.4 and v8.5.5, data for each
Policy Server is sent to each of the SIEM solutions configured in the Internet
Activity Log Data section of Web > Settings > General > SIEM Integration.
Data
is not also sent to SIEM integrations configured for associated Policy Servers. To send
data from multiple Policy Servers to the same SIEM integration, each Policy Server
must be configured to use the same SIEM solution or solutions.
The Audit Log Data sec
tion is available for the primary Policy Server and, when
Enable SIEM integration for audit log data for this Policy Server is selected, data
viewable on Web > Status > Audit Log showing
which administrators have accessed
the Forcepoint Security Manager, as well as any changes made to policies and
settings, is forwarded to the configured SIEM integration. Note that this feature is
available only for the primary Policy Server and does not appear if you switch to a
secondary Policy Server.
Enabling and configuring SIEM integration
Log on to the Web Security module of the Forcepoint Security Manager and navigate
to Settings > General > SIEM Integration to
activate and configure SIEM
integration.
Perform this procedure for each Po
licy Server instance in your deployment.
In the Internet Ac
tivity Log Data section (titled in v8.5.3):
1. For 8.5.4 and v8.5.5: Click Add to open a new window where you will continue
configuring your SIEM integration.
For v8.5 and v8.5.3: Select Enab
le SIEM integration for Internet activity log
data for this Policy Server (in v8.5, select Enable SIEM integration for this
Policy Server) to turn on the SIEM integration feature. Follow these steps for