The proxy.forcepoint.access tag identifies all access log events generated by the Forcepoint web protection solutions. If you want to want to send other types of Forcepoint log events to Devo, contact Devo customer support.
For information about sending log events from Forcepoint, see the Forcepoint SIEM integration guide.
Devo currently supports the ingestion and parsing of the Forcepoint access log events using the tag proxy.forcepoint.access.
To send Forcepoint events to Devo, you need to forward log events to the Devo relay where the tag will be applied, and the data securely sent to your Devo domain.
Forward the events from Forcepoint to the Devo relay
This article contains instructions for using third-party software which may undergo design changes over time. This means that the instructions in this article may no longer be accurate for subsequent product versions. If this is the case, please let us know by sending us an email at firstname.lastname@example.org.
- In Forcepoint, go to the Settings → General → SIEM Integration page and select Enable SIEM integration for Internet activity log data for this Policy Server.
- Enter the IP address of the Devo relay and specify the port to which you will send the Forcepoint events.
- Choose TCP as the Transport protocol.
- Set the SIEM format to syslog/key-value pairs, then click OK.
- Click Save and Deploy.
For complete instructions, see the Forcepoint SIEM integration guide.
Set up the Devo relay rule
This simple type-1 relay rule applies the proxy.forcepoint.access tag to the events before forwarding them to Devo. In the example below, we use port 13003 but you should use any port that you can dedicate to these events - and it must be the same as you configured in Forcepoint.
- Source Port → 13003
- Target Tag → proxy.forcepoint.access
- Check the Stop processing and Sent without syslog tag checkboxes.