Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Configuring a Proofpoint Enterprise Protection and Enterprise Privacy Log Source

 

JSA automatically discovers and creates a log source for syslog events from Proofpoint Enterprise Protection and Enterprise Privacy appliances.

The following configuration steps are optional. To manually configure a syslog log source for Proofpoint Enterprise Protection and Enterprise Privacy, complete the following steps:

  1. Log in to JSA.
  2. Click the Admin tab.
  3. On the navigation menu, click Data Sources.
  4. Click the Log Sources icon.
  5. Click Add.
  6. In the Log Source Name field, type a name for your log source.
  7. In the Log Source Description field, type a description for the log source.
  8. From the Log Source Type list, select Proofpoint Enterprise Protection/Enterprise Privacy.
  9. If you want to configure the Syslog protocol, select it from the Protocol Configuration list and configure the following values:

    Table 1: Syslog Parameters

    Parameter

    Description

    Log Source Identifier

    The IP address or host name for the log source as an identifier for events from Proofpoint Enterprise Protection and Enterprise Privacy installations.

    For Each additional log source that you create when you have multiple installations, include a unique identifier, such as an IP address or host name

    Note

    A Proofpoint Remote Syslog Forwarding subscription is required for syslog support.

  10. If you want to configure a Log File protocol, select it from the Protocol Configuration list and configure the following values:

    Table 2: Log File Parameters

    Parameter

    Description

    Log Source Identifier

    The IP address or host name for the log source as an identifier for events from Proofpoint Enterprise Protection and Enterprise Privacy installations.

    For each additional log source that you create when you have multiple installations, include a unique identifier, such as an IP address or host name.

    Service Type

    From the list, select the protocol that you want to use when retrieving log files from a remove server. The default is SFTP.

    • SFTP— SSH File Transfer Protocol

    • FTP— File Transfer Protocol

    • SCP— Secure Copy

    The underlying protocol that is used to retrieve log files for the SCP and SFTP service types requires that the server specified in the Remote IP or Hostname field has the SFTP subsystem enabled.

    Remote IP or Hostname

    Type the IP address or host name of the Proofpoint Enterprise Protection and Enterprise Privacy system.

    Remote Port

    Type the TCP port on the remote host that is running the selected Service Type. If you configure the Service Type as FTP, the default is 21. If you configure the Service Type as SFTP or SCP, the default is 22.

    The valid range is 1 - 65535.

    Remote User

    Type the user name necessary to log in to your Proofpoint Enterprise Protection and Enterprise Privacy system.

    The user name can be up to 255 characters in length.

    Remote Password

    Type the password necessary to log in to your Proofpoint Enterprise Protection and Enterprise Privacy system.

    Confirm Password

    Confirm the Remote Password to log in to yourProofpoint Enterprise Protection and Enterprise Privacy system.

    SSH Key File

    If you select SCP or SFTP from the Service Type field you can define a directory path to an SSH private key file. The SSH Private Key File allows you to ignore the Remote Password field.

    Remote Directory

    Type the directory location on the remote host from which the files are retrieved.

    Recursive

    Select this check box if you want the file pattern to also search sub folders. The Recursive parameter is not used if you configure SCP as the Service Type. By default, the check box is clear.

    FTP File Pattern

    If you select SFTP or FTP as the Service Type, this option allows you to configure the regular expression (regex) that is required to filter the list of files that are specified in the Remote Directory. All matching files are included in the processing.

    Another example, if you want to retrieve all syslog files with the keyword "_filter" in the file name, use the following entry: .*_filter.*\.syslog.

    Use of this parameter requires knowledge of regular expressions (regex). For more information, see the following website:http://download.oracle.com/javase/tutorial/essential/regex/

    FTP Transfer Mode

    This option only appears if you select FTP as the Service Type. The FTP Transfer Mode parameter allows you to define the file transfer mode when you retrieve log files over FTP.

    From the list, select the transfer mode that you want to apply to this log source:

    • Binary - Select Binary for log sources that require binary data files or compressed .zip, .gzip, .tar, or .tar+gzip archive files.

    • ASCII - Select ASCII for log sources that require an ASCII FTP file transfer. You must select NONE for the Processor field and LINEBYLINE the Event Generator field when you are using ASCII as the transfer mode.

    SCP Remote File

    If you select SCP as the Service Type, you must type the file name of the remote file.

    Start Time

    Type the time of day you want the processing to begin. This parameter functions with the Recurrence value to establish when and how often the Remote Directory is scanned for files. Type the start time, based on a 24-hour clock, in the following format: HH: MM.

    Recurrence

    Type the frequency, beginning at the Start Time, that you want the remote directory to be scanned. Type this value in hours (H), minutes (M), or days (D).

    For example, type 2H if you want the directory to be scanned every 2 hours. The default is 1H.

    Run On Save

    Select this check box if you want the log file protocol to run immediately after you click Save. After the Run On Save completes, the log file protocol follows your configured start time and recurrence schedule.

    Selecting Run On Save clears the list of previously processed files for the Ignore Previously Processed File(s) parameter.

    EPS Throttle

    Type the number of Events Per Second (EPS) that you do not want this protocol to exceed. The valid range is 100 - 5000.

    Processor

    If the files on the remote host are stored in a .zip, .gzip, .tar, or tar+gzip archive format, select the processor that allows the archives to be expanded and contents that are processed.

    Ignore Previously Processed File(s)

    Select this check box to track files that have already been processed and you do not want the files to be processed a second time. This applies to FTP and SFTP Service Types only.

    Change Local Directory?

    Select this check box to define the local directory on your JSA system that you want to use for storing downloaded files during processing. We recommend that you leave the check box clear. When the check box is selected, the Local Directory field is displayed, which allows you to configure the local directory to use for storing files.

    Event Generator

    From the Event Generator list, select LINEBYLINE.

  11. Click Save.
  12. On the Admin tab, click Deploy Changes.

    The log source is added to JSA. Events that are forwarded to JSA by Proofpoint Enterprise Protection and Enterprise Privacy are displayed on the Log Activity tab.