Configuring syslog for Forcepoint TRITON

To collect events, you must configure syslog forwarding for Forcepoint TRITON.

1. Log in to your Forcepoint TRITON Web Security Console.
2. On the Settings tab, select General > SIEM Integration.
3. Select the Enable SIEM integration for this Policy Server check box.
4. In the IP address or hostname field, type the IP address of your QRadar.
5. In the Port field, type 514.
6. From the Transport protocol list, select either the TCP or UDP protocol option.

   QRadar supports syslog events for TCP and UDP protocols on port 514.

7. From the SIEM format list, select syslog/LEEF (QRadar)
8. Click OK to cache any changes.
9. Click Deploy to update your Forcepoint TRITON security components or V-Series appliances.

   The Forcepoint Multiplexer connects to Forcepoint Filtering Service and ensures that event log information is provided to QRadar.