Forcepoint Management Server
Overview
The Management Server is the central component for system administration. One Management Server can manage many different types of engines
- Vendor: Forcepoint
- Supported environment: On-premises
- Version compatibility: 6.5 and later
- Detection based on: Telemetry
- Supported application or feature: Network device logs, Network intrusion detection system
Warning
Important note - This format is currently in beta. We highly value your feedback to improve its performance.
Configure
This setup guide will show you how to forward your Forcepoint Management Server logs to Sekoia.io by means of a syslog transport channel.
Prerequisites
- Must have Forcepoint Management Server device installed and configured
- Have administrative access to the Forcepoint Management Server interface
- Have an internal log concentrator (Rsyslog) or direct syslog forwarding capability
Enable syslog forwarding on Forcepoint Management Server
To configure Forcepoint Management Server to forward logs to Sekoia.io, follow these steps:
- Sign in to your Forcepoint Security Management Center (SMC).
- Navigate to Management Server Properties.
- Click
Home. - Click
Others>Management Server. - Right-click the
Management Serverfrom which you want to forward logs and select properties. - Configure Log Forwarding.
- In the
Management Serverproperties window, click theAudit Forwardingtab. - Click
Addto create a new forwarding rule - Set
Target host,PortandServicebased on your sekoia forwarder server configuration. - Select the LEEF or CEF format (we only accept the both).
Forward logs to Sekoia.io
Please consult the Syslog Forwarding documentation to forward these logs to Sekoia.io.
Create an intake
Go to the intake page and create a new intake from the Forcepoint NGFW format.
Raw Events Samples
In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured.
Timestamp="2025-08-06 17:17:16",NodeId="192.168.1.11",CompId="Mngt Server 01",InfoMsg="Login succeeded for user User_01 in domain Shared Domain with method LDAP Authentication",SenderType="Management Server",EventId="8304273052967896323",UserOriginator="System",ClientIpAddress="127.0.0.1",TypeDescription="stonegate.admin.login",Result="Success",ObjectName="User_01"
Timestamp="2025-08-06 19:20:38",NodeId="192.168.1.11",CompId="Mngt Server 01",InfoMsg="Logout succeeded for user User_01 Server",EventId="8304273052967896336",UserOriginator="System",ClientIpAddress="192.168.1.175",TypeDescription="stonegate.admin.logout",Result="Success",ObjectName="User_01"
Timestamp="2019-05-01 16:25:56",NodeId="192.168.1.2",CompId="Management Server",SenderType="Management Server",EventId="8374310612217364481",UserOriginator="System",ClientIpAddress="192.168.1.2",TypeDescription="audit.start",Result="Success",ObjectName="Audit function started"
Timestamp="2019-05-22 17:57:59",NodeId="192.168.1.2",CompId="LogServer 192.168.1.2",InfoMsg="Some files must be deleted in order to free disk space for storage files.",SenderType="Log Server",SituationId="512",Situation="Log Server: disk full",AlertSeverity="Critical",EventId="1558547879977"
Timestamp="2019-05-01 20:33:14",NodeId="192.168.1.2",RuleId="147.2",CompId="Management Server",InfoMsg="IPv4 Access Rule @147.2 has been modified.",SenderType="Management Server",EventId="8376289638658081825",UserOriginator="admin",ClientIpAddress="192.168.1.11",TypeDescription="stonegate.object.update",Result="Success",ObjectName="High Security Policy"
Timestamp="2019-05-01 20:34:01",NodeId="192.168.1.2",CompId="Management Server",SenderType="Management Server",EventId="8376289638658081837",UserOriginator="admin",ClientIpAddress="192.168.1.11",TypeDescription="stonegate.policy.upload.end",Result="Success",ObjectName="High Security Policy;NGFW-FIPS"
Detection section
The following section provides information for those who wish to learn more about the detection capabilities enabled by collecting this intake. It includes details about the built-in rule catalog, event categories, and ECS fields extracted from raw events. This is essential for users aiming to create custom detection rules, perform hunting activities, or pivot in the events page.
Event Categories
The following table lists the data source offered by this integration.
| Data Source | Description |
|---|---|
Network device logs |
None |
In details, the following table denotes the type of events produced by this integration.
| Name | Values |
|---|---|
| Kind | event |
| Category | host |
| Type | info |
Transformed Events Samples after Ingestion
This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.
{
"message": "Timestamp=\"2025-08-06 17:17:16\",NodeId=\"192.168.1.11\",CompId=\"Mngt Server 01\",InfoMsg=\"Login succeeded for user User_01 in domain Shared Domain with method LDAP Authentication\",SenderType=\"Management Server\",EventId=\"8304273052967896323\",UserOriginator=\"System\",ClientIpAddress=\"127.0.0.1\",TypeDescription=\"stonegate.admin.login\",Result=\"Success\",ObjectName=\"User_01\"",
"event": {
"action": "stonegate.admin.login",
"category": [
"authentication"
],
"kind": "event",
"outcome": "success",
"type": [
"admin",
"start"
]
},
"@timestamp": "2025-08-06T17:17:16Z",
"client": {
"user": {
"name": "User_01"
}
},
"forcepoint": {
"ms": {
"authentication_method": "LDAP Authentication",
"domain": "Shared Domain",
"object": {
"name": "User_01"
},
"sender_type": "Management Server"
}
},
"log": {
"description": "Login succeeded for user User_01 in domain Shared Domain with method LDAP Authentication"
},
"observer": {
"hostname": "Mngt Server 01",
"ip": "192.168.1.11",
"product": "Forcepoint Management Server",
"vendor": "Forcepoint"
},
"related": {
"hosts": [
"Mngt Server 01"
],
"ip": [
"127.0.0.1",
"192.168.1.11"
],
"user": [
"System",
"User_01"
]
},
"source": {
"address": "127.0.0.1",
"ip": "127.0.0.1"
},
"user": {
"name": "System"
}
}
{
"message": "Timestamp=\"2025-08-06 19:20:38\",NodeId=\"192.168.1.11\",CompId=\"Mngt Server 01\",InfoMsg=\"Logout succeeded for user User_01 Server\",EventId=\"8304273052967896336\",UserOriginator=\"System\",ClientIpAddress=\"192.168.1.175\",TypeDescription=\"stonegate.admin.logout\",Result=\"Success\",ObjectName=\"User_01\"",
"event": {
"action": "stonegate.admin.logout",
"category": [
"authentication"
],
"kind": "event",
"outcome": "success",
"type": [
"admin",
"end"
]
},
"@timestamp": "2025-08-06T19:20:38Z",
"client": {
"user": {
"name": "User_01 Server"
}
},
"forcepoint": {
"ms": {
"object": {
"name": "User_01"
}
}
},
"log": {
"description": "Logout succeeded for user User_01 Server"
},
"observer": {
"hostname": "Mngt Server 01",
"ip": "192.168.1.11",
"product": "Forcepoint Management Server",
"vendor": "Forcepoint"
},
"related": {
"hosts": [
"Mngt Server 01"
],
"ip": [
"192.168.1.11",
"192.168.1.175"
],
"user": [
"System",
"User_01 Server"
]
},
"source": {
"address": "192.168.1.175",
"ip": "192.168.1.175"
},
"user": {
"name": "System"
}
}
{
"message": "Timestamp=\"2019-05-01 16:25:56\",NodeId=\"192.168.1.2\",CompId=\"Management Server\",SenderType=\"Management Server\",EventId=\"8374310612217364481\",UserOriginator=\"System\",ClientIpAddress=\"192.168.1.2\",TypeDescription=\"audit.start\",Result=\"Success\",ObjectName=\"Audit function started\"",
"event": {
"action": "audit.start",
"category": [
"process"
],
"kind": "event",
"outcome": "success",
"type": [
"start"
]
},
"@timestamp": "2019-05-01T16:25:56Z",
"forcepoint": {
"ms": {
"object": {
"name": "Audit function started"
},
"sender_type": "Management Server"
}
},
"observer": {
"hostname": "Management Server",
"ip": "192.168.1.2",
"product": "Forcepoint Management Server",
"vendor": "Forcepoint"
},
"related": {
"hosts": [
"Management Server"
],
"ip": [
"192.168.1.2"
],
"user": [
"System"
]
},
"source": {
"address": "192.168.1.2",
"ip": "192.168.1.2"
},
"user": {
"name": "System"
}
}
{
"message": "Timestamp=\"2019-05-22 17:57:59\",NodeId=\"192.168.1.2\",CompId=\"LogServer 192.168.1.2\",InfoMsg=\"Some files must be deleted in order to free disk space for storage files.\",SenderType=\"Log Server\",SituationId=\"512\",Situation=\"Log Server: disk full\",AlertSeverity=\"Critical\",EventId=\"1558547879977\"",
"event": {
"category": [
"host"
],
"kind": "event",
"outcome": "unknown",
"type": [
"info"
]
},
"@timestamp": "2019-05-22T17:57:59Z",
"forcepoint": {
"ms": {
"alert_severity": "Critical",
"sender_type": "Log Server",
"situation": "Log Server: disk full"
}
},
"log": {
"description": "Some files must be deleted in order to free disk space for storage files."
},
"observer": {
"hostname": "LogServer 192.168.1.2",
"ip": "192.168.1.2",
"product": "Forcepoint Management Server",
"vendor": "Forcepoint"
},
"related": {
"hosts": [
"LogServer 192.168.1.2"
],
"ip": [
"192.168.1.2"
]
}
}
{
"message": "Timestamp=\"2019-05-01 20:33:14\",NodeId=\"192.168.1.2\",RuleId=\"147.2\",CompId=\"Management Server\",InfoMsg=\"IPv4 Access Rule @147.2 has been modified.\",SenderType=\"Management Server\",EventId=\"8376289638658081825\",UserOriginator=\"admin\",ClientIpAddress=\"192.168.1.11\",TypeDescription=\"stonegate.object.update\",Result=\"Success\",ObjectName=\"High Security Policy\"",
"event": {
"action": "stonegate.object.update",
"category": [
"configuration"
],
"kind": "event",
"outcome": "success",
"type": [
"change"
]
},
"@timestamp": "2019-05-01T20:33:14Z",
"forcepoint": {
"ms": {
"object": {
"name": "High Security Policy"
},
"sender_type": "Management Server"
}
},
"log": {
"description": "IPv4 Access Rule @147.2 has been modified."
},
"observer": {
"hostname": "Management Server",
"ip": "192.168.1.2",
"product": "Forcepoint Management Server",
"vendor": "Forcepoint"
},
"related": {
"hosts": [
"Management Server"
],
"ip": [
"192.168.1.11",
"192.168.1.2"
],
"user": [
"admin"
]
},
"source": {
"address": "192.168.1.11",
"ip": "192.168.1.11"
},
"user": {
"name": "admin"
}
}
{
"message": "Timestamp=\"2019-05-01 20:34:01\",NodeId=\"192.168.1.2\",CompId=\"Management Server\",SenderType=\"Management Server\",EventId=\"8376289638658081837\",UserOriginator=\"admin\",ClientIpAddress=\"192.168.1.11\",TypeDescription=\"stonegate.policy.upload.end\",Result=\"Success\",ObjectName=\"High Security Policy;NGFW-FIPS\"",
"event": {
"action": "stonegate.policy.upload.end",
"category": [
"configuration"
],
"kind": "event",
"outcome": "success",
"type": [
"end"
]
},
"@timestamp": "2019-05-01T20:34:01Z",
"forcepoint": {
"ms": {
"object": {
"name": "High Security Policy;NGFW-FIPS"
},
"sender_type": "Management Server"
}
},
"observer": {
"hostname": "Management Server",
"ip": "192.168.1.2",
"product": "Forcepoint Management Server",
"vendor": "Forcepoint"
},
"related": {
"hosts": [
"Management Server"
],
"ip": [
"192.168.1.11",
"192.168.1.2"
],
"user": [
"admin"
]
},
"source": {
"address": "192.168.1.11",
"ip": "192.168.1.11"
},
"user": {
"name": "admin"
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
| Name | Type | Description |
|---|---|---|
@timestamp |
date |
Date/time when the event originated. |
client.user.name |
keyword |
Short name or login of the user. |
event.action |
keyword |
The action captured by the event. |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.kind |
keyword |
The kind of the event. The highest categorization field in the hierarchy. |
event.outcome |
keyword |
The outcome of the event. The lowest level categorization field in the hierarchy. |
event.reason |
keyword |
Reason why this event happened, according to the source |
event.type |
keyword |
Event type. The third categorization field in the hierarchy. |
forcepoint.ms.alert_severity |
keyword |
Alert severity (ex Critical) |
forcepoint.ms.authentication_method |
keyword |
Forcepoint management server authentication method |
forcepoint.ms.domain |
keyword |
Forcepoint management domain |
forcepoint.ms.object.name |
keyword |
Elements being manipulated in the audit event. |
forcepoint.ms.sender_type |
keyword |
The type of engine or server that sent the log entry |
forcepoint.ms.situation |
keyword |
Situation name. |
observer.hostname |
keyword |
Hostname of the observer. |
observer.ip |
ip |
IP addresses of the observer. |
observer.product |
keyword |
The product name of the observer. |
observer.vendor |
keyword |
Vendor name of the observer. |
source.ip |
ip |
IP address of the source. |
user.name |
keyword |
Short name or login of the user. |
For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.