Forcepoint stores its event logs in a Microsoft SQL database which is typically included on the Forcepoint server. This document instructs you how to configure collection of Forcepoint (formerly Websense) logs via LogRhythm System Monitor Agent.
Collection from a Microsoft SQL database requires:
- Universal Database Log Adapter (UDLA) Log Source.
- A LogRhythm System Monitor to collect the logs.
- Access to the Microsoft SQL Server Database that Forcepoint uses for storing event logs.
Identify the following prior to configuration:
- The IP address and host name of the Microsoft SQL Server Database used by Forcepoint.
- A LogRhythm System Monitor to collect the logs from Forcepoint.
- The user ID and password to access the Forcepoint log data on the Microsoft SQL Database Server, if necessary.
Verify Access to the Forcepoint Server
The LogRhythm System Monitor will need to use an existing SQL account to access the Forcepoint SQL database. This can be the default “sa” account, an account created with administrator access, or domain credentials. No additional configuration changes are needed on the Forcepoint server.
Configure the ODBC Driver for Forcepoint
ODBC needs to be installed on the System Monitor host that will be collecting the Forcepoint log source. If you are using Windows Authentication, the System Monitor service should be running with a Service Account that has access to the Forcepoint SQL database.
The LogRhythm System Monitor accesses Forcepoint logs via an ODBC driver. The recommended driver must already be installed on the System Monitor host and configured according to the information in Configure UDLA Log Collection.
- Name. SQL Server
- Company Name. Microsoft Corporation
- Version. 2000.85.1132.00
- Date. 4/13/2008
- Download Location. Pre-installed
After you configure the device, you must also configure LogRhythm according to the instructions provided on the overview page of this guide. The System Monitor does not need to be installed on the Forcepoint server, but it needs to establish a network ODBC connection. In addition, the Microsoft SQL client drivers must be installed on the System Monitor host.
Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.
Before you begin, download the Forcepoint XML Configuration File. You will import this file later to populate the UDLA configuration fields for the Log Source.
The name of the log message source is UDLA – Forcepoint. In addition, when configuring this log source:
- For Log Message Processing Mode, select MPE Processing Enabled, Event Forwarding Enabled.
- For Log Message Processing Engine (MPE) Policy, select LogRhythm Default.
- On the UDLA Settings tab, enter the following:
Click Import, and then browse to and open the XML file that you downloaded from LogRhythm.
Be sure to change the values for Server and Database according to your current deployment configuration.
- If you want to validate the current settings, click Test.
If the test fails, verify the connection settings and that all values were entered correctly.
- When the test passes, close the Test dialog box.