Configuring syslog for Forcepoint V-Series Data Security Suite

The Forcepoint V-Series Data Security Suite DSM accepts events using syslog. Before you can integrate IBM QRadar you, must enable the Forcepoint V-Series appliance to forward syslog events in the Data Security Suite (DSS) Management Console.

Procedure

  1. Select Policies > Policy Components > Notification Templates.
  2. Select an existing Notification Template or create a new template.
  3. Click the General tab.
  4. Click Send Syslog Message.
  5. Select Options > Settings > Syslog to access the Syslog window.

    The syslog window enables administrators to define the IP address/host name and port number of the syslog in their organization. The defined syslog receives incident messages from the Forcepoint Data Security Suite DSS Manager.

  6. The syslog is composed of the following fields:
    DSS Incident|ID={value}|action={display value - max}|urgency= {coded}|policy categories={values,,,}|source={value-display name}|destinations={values...}|channel={display name}|matches= {value}|detaills={value}
    • Max length for policy categories is 200 characters.
    • Max length for destinations is 200 characters.
    • Details and source are reduced to 30 characters.
  7. Click Test Connection to verify that your syslog is accessible.

What to do next

You can now configure the log source in QRadar. The configuration is complete. The log source is added to QRadar as OSSEC events are automatically discovered. Events that are forwarded to QRadar by OSSEC are displayed on the Log Activity tab of QRadar.