Forcepoint V-Series Content Gateway
The Forcepoint V-Series Content Gateway DSM for JSA supports events for web content on Forcepoint V-Series appliances with the Content Gateway software.
The Forcepoint V-Series Content Gateway DSM accepts events using syslog to stream events or by using the log file protocol to provide events to JSA. Before you can integrate your appliance with JSA, you must select one of the following configuration methods:
-
To configure syslog for your Forcepoint V-Series, see Configure Syslog for Forcepoint V-Series Content Gateway.
-
To configure the log file protocol for your Forcepoint V-Series, see Log File Protocol for Forcepoint V-Series Content Gateway.
Configure Syslog for Forcepoint V-Series Content Gateway
The Forcepoint V-Series DSM supports Forcepoint V-Series appliances that run the Forcepoint Content Gateway on Linux software installations.
Before you configure JSA, you must configure the Forcepoint Content Gateway to provide LEEF formatted syslog events.
Configuring the Management Console for Forcepoint V-Series Content Gateway
You can configure event logging in the Content Gateway Manager.
-
Log into your Forcepoint Content Gateway Manager.
-
Click the Configure tab.
-
Select Subsystems >Logging.
The General Logging Configuration window is displayed.
-
Select Log Transactions and Errors.
-
Select Log Directory to specify the directory path of the stored event log files.
The directory that you define must exist and the Forcepoint user must have read and write permissions for the specified directory.
The default directory is /opt/WGC/logs.
-
Click Apply.
-
Click the Custom tab.
-
In the Custom Log File Definitions window, type the following text for the LEEF format.
<LogFormat> <Name = "leef"/> <Format = "LEEF:1.0|Forcepoint|WCG| 7.6| %<wsds>|cat=%<wc> src=%<chi> devTime=%<cqtn> devTimeFormat=dd/MMM/yyyy:HH:mm:ss Z http-username=%<caun> url=%<cquc> method=%<cqhm> httpversion=%<cqhv> cachecode=%<crc>dstBytes=%<sscl> dst=%<pqsi> srcBytes=%<pscl> proxy-statuscode=%< pssc> server-status-code=%<sssc> usrName=%<wui> duration=%<ttms>"/> </LogFormat>
<LogObject> <Format = "leef"/> <Filename = "leef"/> </LogObject>
Note:The fields in the LEEF format string are tab separated. You might be required to type the LEEF format in a text editor and then cut and paste it into your web browser to retain the tab separations. The definitions file ignores extra white space, blank lines, and all comments.
-
Select Enabled to enable the custom logging definition.
-
Click Apply.
You can now enable event logging for your Forcepoint Content Gateway.
Enabling Event Logging for Forcepoint V-Series Content Gateway
If you are using a Forcepoint V-Series appliance, contact Forcepoint Technical Support to enable this feature.
-
Log in to the command-line Interface (CLI) of the server running Forcepoint Content Gateway.
-
Add the following lines to the end of the /etc/rc.local file:
( while [ 1 ] ; do tail -n1000 -F /opt/WCG/logs/leef.log | nc <IP Address> 514 sleep 1 done ) &
Where <IP Address> is the IP address for JSA.
-
To start logging immediately, type the following command:
nohup /bin/bash -c "while [ 1 ] ; do tail -F /opt/WCG/logs/leef.log | nc <IP Address> 514; sleep 1; done" &
Note:You might need to type the logging command in Enabling Event Logging for Forcepoint V-Series Content Gateway or copy the command to a text editor to interpret the quotation marks.
The configuration is complete. The log source is added to JSA as syslog events from Forcepoint V-Series Content Gateway are automatically discovered. Events forwarded by Forcepoint V-Series Content Gateway are displayed on the Log Activity tab of JSA.
Syslog Log Source Parameters for Forcepoint V-Series Content Gateway
If JSA does not automatically detect the log source, add a Forcepoint V-Series Content Gateway log source on the JSA Console by using the syslog protocol.
When using the syslog protocol, there are specific parameters that you must use.
The following table describes the parameters that require specific values to collect syslog events from Forcepoint V-Series Content Gateway:
Parameter |
Value |
---|---|
Log Source Name |
Type a name for your log source. |
Log Source Description |
Type a description for the log source. |
Log Source type |
Forcepoint V Series |
Protocol Configuration |
Syslog |
Log Source Identifier |
Type the IP address or host name for the log source as an identifier for events from your Forcepoint V-Series Content Gateway appliance. |
Log File Protocol for Forcepoint V-Series Content Gateway
The log file protocol allows JSA to retrieve archived log files from a remote host.
The Forcepoint V-Series DSM supports the bulk loading of log files from your Forcepoint V-Series Content Gateway using the log file protocol to provide events on a scheduled interval. The log files contain transaction and error events for your Forcepoint V-Series Content Gateway:
- Configuring the Content Management Console for Forcepoint V-Series Content Gateway
- Log File Log Source Parameters for Forcepoint V-Series Content Gateway
Configuring the Content Management Console for Forcepoint V-Series Content Gateway
Configure event logging in the Content Management Console.
-
Log into your Forcepoint Content Gateway interface.
-
Click the Configure tab.
-
Select Subsystems >Logging.
-
Select Log Transactions and Errors.
-
Select Log Directory to specify the directory path of the stored event log files.
The directory you define must already exist and the Forcepoint user must have read and write permissions for the specified directory.
The default directory is /opt/WGC/logs.
-
Click Apply.
-
Click the Formats tab.
-
Select Netscape Extended Format as your format type.
-
Click Apply.
You can now enable event logging for your Forcepoint V-Series Content Gateway.
Log File Log Source Parameters for Forcepoint V-Series Content Gateway
If JSA does not automatically detect the log source, add a Forcepoint V-Series Content Gateway log source on the JSA Console by using the Log File protocol.
When using the Log File protocol, there are specific parameters that you must use.
The following table describes the parameters that require specific values to collect Log File events from Forcepoint V-Series Content Gateway:
Parameter |
Value |
---|---|
Log Source type |
Forcepoint V Series |
Protocol Configuration |
Log File |
Log Source Identifier |
Type the IP address or host name for the log source as an identifier for events from your Forcepoint V-Series Content Gateway devices. |
Service Type |
Secure File Transfer Protocol (SFTP) |
FTP File Pattern |
|
Remote Directory |
/opt/WCG/logs |
Event Generator |
LINEBYLINE |
Forcepoint V-Series Content Gateway Sample Event Messages
Use these sample event messages to verify a successful integration with JSA.
Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.
Forcepoint V-Series Content Gateway Sample Messages when you use the Syslog Protocol
Sample 1: The following sample event message shows that access is blocked by websense.
<159>Jul 16 16:37:26 forcepoint.vseries.test LEEF:1.0|Forcepoint|Security|8.5.3| transaction:blocked|sev=7 cat=1504 usrName=qradar1 loginID=qradar1 src=10.223.7.33 srcPort=34311 srcBytes=0 dstBytes=0 dst=10.10.10.10 dstPort=443 proxyStatuscode= 403 serverStatus-code=0 duration=66 method=POST disposition=1064 contentType=- reason=0-17336-Generic.Content.Web.RTSS policy=Super Administrator**IM Chat and Conferencing Policy role=8 userAgent=Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 url=https:// www.qradar.example.test/psettings/jobs/profile-shared-with-recruiter logRecordSource= %<logRecordSource>
JSA field name |
Highlighted values in the event payload |
---|---|
Event ID |
disposition |
Category |
cat |
Source IP |
src |
Source Port |
srcPort |
Destination IP |
dst |
Destination Port |
dstPort |
Username |
usrName |
Sample 2: The following sample event message shows that access is permitted by websense.
<159>Jun 25 10:45:18 forcepoint.vseries.test LEEF:1.0|Forcepoint|Security|8.5.3| transaction:permitted|sev=1 cat=209 usrName=testUser loginID=testID src=10.252.88.231 srcPort=7434 srcBytes=636 dstBytes=63385 dst=10.10.10.10 dstPort=443 proxyStatus-code=200 serverStatus-code=200 duration=32 method=GET disposition=1065 contentType=text/html; charset\=utf-8 reason=0-14057- Generic.Content.Web.RTSS policy=testPolicy Videos from testCompany role=8 userAgent=Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ 72.0.3626.121 Safari/537.36 url=https://www.qradar.example.test/watch?v\=VsxpUZaggcw logRecordSource=%<logRecordSource>
JSA field name |
Highlighted |
---|---|
Event ID |
disposition |
Category |
cat |
Source IP |
src |
Source Port |
srcPort |
Destination IP |
dst |
Destination Port |
dstPort |
Username |
usrName |