Forescout Integration for Elastic

The Forescout is a leading device visibility and control platform that enables organizations to continuously identify, classify, and enforce security policies across all connected devices. It provides real-time visibility into IT, IoT, OT, and unmanaged devices across enterprise networks.

The Forescout integration for Elastic enables you to ingest host data from the Forescout eyeExtend Connect app and event data using TCP and UDP, then visualize it in Kibana.

The Forescout integration is compatible with Forescout product version 8.5.2 and the Elastic eyeExtend Connect app version 0.2.0.

This integration receives host data sent directly by the Forescout eyeExtend Connect app to Elastic, as well as real-time syslog events sent by the Forescout platform over TCP and UDP.

The Elastic Agent listens on the configured network port for syslog messages and receives host data from the eyeExtend Connect app. The integration processes the incoming data using ingest pipelines to parse, normalize, and map the information to Elastic Common Schema (ECS).

This integration collects log messages of the following type:

• host: Collect host information sent by the Forescout eyeExtend Connect app from the Forescout platform.
• event: collect event messages forwarded by the syslog plugin from Forescout platform. These events are categorized into following groups:
  • NAC Events: These event messages contain information on all policy event logs.
  • Threat Protection: These event messages contain information on intrusion-related activity, including bite events, scan events, lockdown events and manual events.
  • System Logs and Events: These event messages contain information about the Forescout platform system events.
  • User Operations: These event messages are generated when a user operation takes place, and they are included in the Audit Trail.
  • Operating System Messages: These event messages are generated by the operating system.

Integrating Forescout with Elastic SIEM delivers centralized, real-time visibility into network access control, device posture, and security enforcement across IT, IoT, and OT environments by transforming Forescout's device intelligence and policy enforcement events into actionable SIEM data.

For Host Data, the dashboard provides detailed breakdowns by compliance state and network segments, enabling rapid asset discovery and inventory management across managed and unmanaged devices.

For Events, the dashboard presents key metrics with breakdowns by Severity, Facility, Priority, Hosts, and Applications, helping analysts quickly triage security events and assess risk levels.

Time-based visualizations such as Events over Time by Priority reveal trends and atypical spikes in access or security activity, supporting proactive threat detection and continuous monitoring.

Interactive filtering controls allow analysts to drill down across hosts and events, supporting streamlined investigation, threat hunting, and accelerated incident response within a unified Elastic environment.

• Elastic Stack with ingest pipelines capability to process incoming host data.
• Elastic Agent installed on a host that is reachable by the Forescout syslog sender.
• Ensure the required TCP/UDP ports are open to receive data.

• Forescout eyeExtend Connect app configured to send host data to Elastic.
• Configure the syslog plugin in Forescout to continuously send the event message over either TCP or UDP.

Elastic Agent must be installed. For more details, check the Elastic Agent installation instructions. You can install only one Elastic Agent per host.

Elastic Agent is required to stream data from the syslog or log file receiver and ship the data to Elastic, where the events will then be processed using the integration's ingest pipelines.

This integration does not include a data collector for host data. Host data is sent directly by the Forescout eyeExtend Connect app to Elastic. The integration provides the necessary ingest pipelines and Kibana dashboards for processing and visualizing both host and event data.

1. In the top search bar in Kibana, search for Integrations.

2. In the search bar, type Forescout.

3. Select the Forescout integration from the search results.

4. Select Add Forescout to add the integration.

5. Enable and configure only the collection methods which you will use.

   • To Collect Forescout events using syslog, you'll need to:

     • Configure Listen Address, Listen Port.
     • Additionally, Timezone, Custom TCP/UDP options and tags can be provided.

6. Select Save and continue to save the integration.

1. In the top search bar in Kibana, search for Dashboards.
2. In the search bar, type Forescout.
3. Select a dashboard for the dataset you are collecting, and verify the dashboard information is populated.

For help with Elastic ingest tools, check Common problems.

If host data is not appearing in Elastic, verify that the Forescout eyeExtend Connect app is properly configured to send data to your Elastic instance.

A known data-corruption issue affects the TCP input in Elastic Stack versions 9.2.0 and 9.2.1, so these releases should be avoided for TCP-based data collection.

For more information on architectures that can be used for scaling this integration, check the Ingest Architectures documentation.

{
    "@timestamp": "2026-11-22T18:31:08.000Z",
    "agent": {
        "ephemeral_id": "1d936cb6-f23d-4c04-b07f-ada119d549a5",
        "id": "a013286f-d805-4c6e-b5a3-aa506e415086",
        "name": "elastic-agent-95897",
        "type": "filebeat",
        "version": "8.18.0"
    },
    "data_stream": {
        "dataset": "forescout.event",
        "namespace": "61844",
        "type": "logs"
    },
    "ecs": {
        "version": "9.3.0"
    },
    "elastic_agent": {
        "id": "a013286f-d805-4c6e-b5a3-aa506e415086",
        "snapshot": false,
        "version": "8.18.0"
    },
    "event": {
        "agent_id_status": "verified",
        "dataset": "forescout.event",
        "ingested": "2026-04-03T10:15:37Z",
        "kind": "event",
        "original": "<85>Nov 22 18:31:08 azure-app01 sudo: _fsservice : TTY=unknown ; PWD=/usr/local/forescout ; USER=root ; COMMAND=/bin/fstool fw status"
    },
    "forescout": {
        "event": {
            "service": "_fsservice",
            "tty": "unknown"
        }
    },
    "input": {
        "type": "tcp"
    },
    "log": {
        "source": {
            "address": "192.168.241.3:37420"
        },
        "syslog": {
            "appname": "sudo",
            "facility": {
                "code": 10,
                "name": "security/authorization"
            },
            "hostname": "azure-app01",
            "priority": 85,
            "severity": {
                "code": 5,
                "name": "Notice"
            }
        }
    },
    "message": "_fsservice : TTY=unknown ; PWD=/usr/local/forescout ; USER=root ; COMMAND=/bin/fstool fw status",
    "process": {
        "command_line": "/bin/fstool fw status",
        "user": {
            "name": "root"
        },
        "working_directory": "/usr/local/forescout"
    },
    "related": {
        "hosts": [
            "azure-app01"
        ],
        "user": [
            "root"
        ]
    },
    "tags": [
        "preserve_original_event",
        "forescout-event",
        "forwarded"
    ],
    "user": {
        "name": "root"
    }
}
		

These inputs are used in this integration:

• TCP
• UDP
• Forescout eyeExtend Connect Plugin

This integration includes one or more Kibana dashboards that visualizes the data collected by the integration. The screenshots below illustrate how the ingested data is displayed.

← →

×

×