Ingest Logs

Choose normalization

• Click Normalization.

• Either:

  • Select a previously created normalization policy from the dropdown, or

  • Select the appropriate Compiled Normalizer (ProofpointCompiledNormalizer or ProofpointTAPCompiledNormalizer) from the list and click the swap icon.

Available Compiled Normalizers

• ProofpointCompiledNormalizer (for general Proofpoint logs)

• ProofpointTAPCompiledNormalizer (for Targeted Attack Protection logs)

Select the appropriate normalizer based on your Proofpoint deployment.

Enrichment

• Click Enrichment.

• Select an Enrichment Policy.

Finalize

Click Create Log Source to save all configurations.

Add a repository

• Go to Settings >> Configuration from the navigation bar and click Repos.

• Click Add.

• Enter a Repo Name.

• Select a Repo Path to store incoming logs.

• Set a Retention Day to keep logs in a repository before they are automatically deleted.

Note: You can add and remove multiple Repo Path and Retention Day.

Remote selection

• Select a Remote LogPoint and set a Available for (day).

• Click Submit.

Create normalization policy

• Go to Settings >> Configuration from the navigation bar and click Normalization Policies.

• Click Add.

• Enter a Policy Name.

Select normalizer

• Select the required Compiled Normalizer for Proofpoint:

  • ProofpointCompiledNormalizer (for general Proofpoint logs)

  • ProofpointTAPCompiledNormalizer (for Targeted Attack Protection logs)

• Click Submit.

Create processing policy

• Go to Settings >> Configuration from the navigation bar and click Processing Policies.

• Click Add.

• Enter a Policy Name.

Attach policies

• Select the previously created normalization policy.

• Select the Enrichment Policy.

• Select the Routing Policy.

• Click Submit.

Add device

• Go to Settings >> Configuration from the navigation bar and click Devices.

• Click Add.

• Enter a device Name.

• Enter the Proofpoint server IP address(es).

• Select the Device Groups.

Configure collection

• Select an appropriate Log Collection Policy for the logs.

• Select a collector or a forwarder from the Distributed Collector drop-down.

Note: It is optional to select the Device Groups, the Log Collection Policy and the Distributed Collector.

Final device settings

• Select a Time Zone. The timezone of the device must be the same as its log source.

• Configure the Risk Values for Confidentiality, Integrity and Availability used to calculate the risk levels of the alerts generated from the device.

• Click Submit.

Add collector

• Go to Settings >> Configuration from the navigation bar and click Devices.

• Click the Add collectors/fetchers icon under Actions of the previously added device.

• Click Syslog Collector.

Note: You can select a different collector depending on your requirements and added device. To learn more about available collectors, refer to the collectors documentation. If you require assistance, contact our support team.

Collector settings

• Select Syslog Parser as Parser.

• Select the previously created Processing Policy.

• Select the Charset.

• In Proxy Server, select None (or configure proxy settings if needed).

• Click Submit.