Console
    Contact Us Start free

    Collect Forcepoint DLP logs

    Supported in:

    This document describes how you can collect Forcepoint Data Loss Prevention (DLP) logs by using a Google Security Operations forwarder.

    For more information, see Data ingestion to Google Security Operations overview .

    An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the FORCEPOINT_DLP ingestion label.

    Configure Forcepoint DLP

    1. Sign in to the Forcepoint Security Managerconsole.
    2. In the Additional actionssection, select the Send syslog messagecheckbox.
    3. In the Data securitymodule, select Settings > General > Remediation.
    4. In the Syslog settingssection, specify the following:
      • In the IP address or hostnamefield, enter the IP address or hostname of the Google Security Operations forwarder.
      • In the Portfield, enter the port number.
      • Clear the Use syslog facility for these messagescheckbox.
    5. To send the syslog server a verification test message, click Test connection.
    6. To save your changes, click Ok.

    Configure the Google Security Operations forwarder to ingest Forcepoint DLP logs

    1. Go to SIEM Settings > Forwarders.
    2. Click Add new forwarder.
    3. In the Forwarder Namefield, enter a unique name for the forwarder.
    4. Click Submit. The forwarder is added and the Add collector configurationwindow appears.
    5. In the Collector namefield, type a name.
    6. Select Forcepoint DLPas the Log type.
    7. Select Syslogas the Collector type.
    8. Configure the following mandatory input parameters:
      • Protocol: specify the connection protocol that the collector uses to listen for syslog data.
      • Address: specify the target IP address or hostname where the collector resides and listens for syslog data.
      • Port: specify the target port where the collector resides and listens for syslog data.
    9. Click Submit.

    For more information about the Google Security Operations forwarders, see Manage forwarder configurations through the Google Security Operations UI . If you encounter issues when you create forwarders, contact Google Security Operations support .

    Field mapping reference

    This parser extracts key-value pairs from Forcepoint DLP CEF formatted logs, normalizing and mapping them to the UDM. It handles various CEF fields, including sender, recipient, actions, and severity, enriching the UDM with details like user information, affected files, and security results.

    UDM Mapping Table

    Log Field UDM Mapping Logic
    act
    		 security_result.description If actionPerformed is empty, the value of act is assigned to security_result.description .
    actionID
    		 metadata.product_log_id The value of actionID is assigned to metadata.product_log_id .
    actionPerformed
    		 security_result.description The value of actionPerformed is assigned to security_result.description .
    administrator
    		 principal.user.userid The value of administrator is assigned to principal.user.userid .
    analyzedBy
    		 additional.fields.key The string "analyzedBy" is assigned to additional.fields.key .
    analyzedBy
    		 additional.fields.value.string_value The value of analyzedBy is assigned to additional.fields.value.string_value .
    cat
    		 security_result.category_details The values of cat are merged into the security_result.category_details field as a list.
    destinationHosts
    		 target.hostname The value of destinationHosts is assigned to target.hostname .
    destinationHosts
    		 target.asset.hostname The value of destinationHosts is assigned to target.asset.hostname .
    details
    		 security_result.description If both actionPerformed and act are empty, the value of details is assigned to security_result.description .
    duser
    		 target.user.userid The value of duser is used to populate target.user.userid . Multiple values separated by "; " are split and assigned as individual email addresses if they match the email regex, otherwise they are treated as user IDs.
    eventId
    		 metadata.product_log_id If actionID is empty, the value of eventId is assigned to metadata.product_log_id .
    fname
    		 target.file.full_path The value of fname is assigned to target.file.full_path .
    logTime
    		 metadata.event_timestamp The value of logTime is parsed and used to populate metadata.event_timestamp .
    loginName
    		 principal.user.user_display_name The value of loginName is assigned to principal.user.user_display_name .
    msg
    		 metadata.description The value of msg is assigned to metadata.description .
    productVersion
    		 additional.fields.key The string "productVersion" is assigned to additional.fields.key .
    productVersion
    		 additional.fields.value.string_value The value of productVersion is assigned to additional.fields.value.string_value .
    role
    		 principal.user.attribute.roles.name The value of role is assigned to principal.user.attribute.roles.name .
    severityType
    		 security_result.severity The value of severityType is mapped to security_result.severity . "high" maps to "HIGH", "med" maps to "MEDIUM", and "low" maps to "LOW" (case-insensitive).
    sourceHost
    		 principal.hostname The value of sourceHost is assigned to principal.hostname .
    sourceHost
    		 principal.asset.hostname The value of sourceHost is assigned to principal.asset.hostname .
    sourceIp
    		 principal.ip The value of sourceIp is added to the principal.ip field.
    sourceIp
    		 principal.asset.ip The value of sourceIp is added to the principal.asset.ip field.
    sourceServiceName
    		 principal.application The value of sourceServiceName is assigned to principal.application .
    suser
    		 principal.user.userid If administrator is empty, the value of suser is assigned to principal.user.userid .
    timestamp
    		 metadata.event_timestamp The value of timestamp is used to populate metadata.event_timestamp .
    topic
    		 security_result.rule_name The value of topic is assigned to security_result.rule_name after commas are removed. Hardcoded to "FORCEPOINT_DLP". Hardcoded to "Forcepoint". Extracted from the CEF message. Can be "Forcepoint DLP" or "Forcepoint DLP Audit". Extracted from the CEF message. Concatenation of device_event_class_id and event_name , formatted as "[device_event_class_id] - event_name". Initialized to "GENERIC_EVENT". Changed to "USER_UNCATEGORIZED" if is_principal_user_present is "true".

    Need more help? Get answers from Community members and Google SecOps professionals.

    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: