Created on 08-17-2023 04:07 AM
Created on 08-31-2023 01:54 AM
Are the events being sent in CEF format?
Can you share some sample events so that we can see what the issue is?
This is a sample event format that FortiSIEM expects to receive:
<6>CEF:0|FORCEPOINT|Alert|6.0.1|71257|TCP_Segment-SYN-No-Options|0|spt=2890 deviceExternalId=FW2 node 1 dmac=00:50:56:86:5E:16 dst=192.168.91.67 app=TCP/30152 rt=Sep 22 2016 23:38:00 deviceFacility=Packet filter act=Terminate deviceInboundInterface=2 proto=6 dpt=30152 src=192.168.155.35 dvc=192.168.94.51 dvchost=192.168.94.51 smac=00:10:DB:FF:10:01 cs1Label=RuleId cs1=97.0
We are using the LEEF format, but even if we change it to CEF the event type remains unkown.
<6>LEEF:1.0|Forcepoint|Firewall|7.0.2|Connection_Allowed|devTimeFormat=MMM dd yyyy HH:mm:ss src=192.168.64.22 dst=192.168.198.102 srcPort=59986 dstPort=2463 proto=6 devTime=Aug 31 2023 09:11:36 sender=Force-1-NDB node 1 action=Allow
Created on 09-04-2023 08:18 AM
Can you send to me directly an export in CSV format of the forecpoint logs? A varied sample of logs will be best.
I can see that Forcepoint have changed their log format.