elastic · sharadcrest · Dec 9, 2025 · Dec 9, 2025
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -231,6 +231,7 @@
 /packages/first_epss @elastic/security-service-integrations
 /packages/fleet_server @elastic/fleet
 /packages/forcepoint_web @elastic/security-service-integrations
+/packages/forescout @elastic/security-service-integrations
 /packages/forgerock @elastic/security-service-integrations
 /packages/fortinet_forticlient @elastic/integration-experience
 /packages/fortinet_fortiedr @elastic/integration-experience

@@ -0,0 +1,3 @@
+dependencies:
+  ecs:
+    reference: [email protected]
@@ -0,0 +1,95 @@
+# Forescout Integration for Elastic
+
+## Overview
+[Forescout](https://www.forescout.com) is a leading device visibility and control platform that enables organizations to continuously identify, classify, and enforce security policies across all connected devices. It provides real-time visibility into IT, IoT, OT, and unmanaged devices across enterprise networks.
+
+The Forescout integration for Elastic allows you to collect event data using the TCP and UDP, then visualize the data in Kibana.
+
+### Compatibility
+The Forescout integration is tested with product version **8.5.2**.
+
+### How it works
+This integration receives real-time syslog events sent by the Forescout platform over TCP and UDP.
+
+The Elastic Agent listens on the configured network port, ingests the incoming syslog messages, and processes them using ingest pipelines to parse, normalize, and map the events to Elastic Common Schema (ECS).
+
+## What data does this integration collect?
+This integration collects log messages of the following type:
+
+- `event`: collect event messages forwarded by the [syslog plugin](https://docs.forescout.com/bundle/syslog-3-6-1-h/page/syslog-3-6-1-h.How-to-Work-with-the-Syslog-Plugin.html) from Forescout platform. These events are categorized into following groups:
+    - **NAC Events**: These event messages contain information on all policy event logs.
+    - **Threat Protection**: These event messages contain information on intrusion-related activity, including bite events, scan events, lockdown events and manual events.
+    - **System Logs and Events**: These event messages contain information about the Forescout platform system events.
+    - **User Operations**: These event messages are generated when a user operation takes place, and they are included in the Audit Trail.
+    - **Operating System Messages**: These event messages are generated by the operating system.
+
+### Supported use cases
+Integrating Forescout with Elastic SIEM delivers centralized, real-time visibility into network access control, device posture, and security enforcement across IT, IoT, and OT environments by transforming Forescout’s device intelligence and policy enforcement events into actionable SIEM data. Dedicated Kibana dashboards provide detailed breakdowns by severity, facility, priority, hosts, and applications, enabling rapid triage and effective risk assessment, while time-based visualizations such as Events over Time by Priority reveal trends and abnormal spikes in access or security activity to support proactive threat detection. Together, these insights strengthen threat hunting, accelerate incident response, streamline SOC workflows, and enhance continuous network compliance and security posture management within a unified Elastic environment.
+
+## What do I need to use this integration?
+### From Elastic
+- Elastic Agent installed on a host that is reachable by the Forescout syslog sender
+- Ensure the required TCP/UDP ports are open to receive data.
+
+### From Forescout
+
+[Configure the syslog plugin](https://docs.forescout.com/bundle/syslog-3-6-1-h/page/syslog-3-6-1-h.Configure-the-Syslog-Plugin.html) in Forescout to continuously send the event message over either TCP or UDP.
+
+## How do I deploy this integration?
+
+### Agent-based deployment
+
+Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). You can install only one Elastic Agent per host.
+
+Elastic Agent is required to stream data from the syslog or log file receiver and ship the data to Elastic, where the events will then be processed via the integration's ingest pipelines.
+
+## Setup
+1. In the top search bar in Kibana, search for **Integrations**.
+2. In the search bar, type **Forescout**.
+3. Select the **Forescout** integration from the search results.
+4. Select **Add Forescout** to add the integration.
+5. Enable and configure only the collection methods which you will use.
+
+    * To **Collect Forescout events via syslog**, you'll need to:
+
+        - Configure **Listen Address**, **Listen Port**.
+        - Additionally, **Timezone**, **Custom TCP/UDP options** and **tags** can be provided.
+
+6. Select **Save and continue** to save the integration.
+
+> **Note**: The configured timezone is added to the `event.timezone` field for each event and is used to accurately build the `@timestamp` for syslog messages that lack a year value. The default is UTC, and if no value is provided, the system timezone of the Elastic Agent host is used.
+
+### Validation
+#### Dashboards populated
+
+1. In the top search bar in Kibana, search for **Dashboards**.
+2. In the search bar, type **Forescout**.
+3. Select a dashboard for the dataset you are collecting, and verify the dashboard information is populated.
+
+## Troubleshooting
+
+For help with Elastic ingest tools, check [Common problems](https://www.elastic.co/docs/troubleshoot/ingest/fleet/common-problems).
+
+A known data-corruption issue affects the TCP input in Elastic Stack versions 9.2.0 and 9.2.1, so these releases should be avoided for TCP-based data collection.
+
+## Scaling
+
+For more information on architectures that can be used for scaling this integration, check the [Ingest Architectures](https://www.elastic.co/docs/manage-data/ingest/ingest-reference-architectures) documentation.
+
+## Reference
+
+### ECS field reference
+
+#### Event
+{{fields "event"}}
+
+### Example event
+
+#### Event
+{{event "event"}}
+
+
+### Inputs used
+These inputs are used in this integration:
+- [TCP](https://www.elastic.co/docs/reference/beats/filebeat/filebeat-input-tcp)
+- [UDP](https://www.elastic.co/docs/reference/beats/filebeat/filebeat-input-udp)
@@ -0,0 +1,12 @@
+version: '2.3'
+services:
+  forescout-event-tcp:
+    image: docker.elastic.co/observability/stream:v0.20.0
+    volumes:
+      - ./sample_logs:/sample_logs:ro
+    command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9532 -p=tcp /sample_logs/forescout-event.log
+  forescout-event-udp:
+    image: docker.elastic.co/observability/stream:v0.20.0
+    volumes:
+      - ./sample_logs:/sample_logs:ro
+    command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9533 -p=udp /sample_logs/forescout-event.log
@@ -0,0 +1,17 @@
+<85>Nov 22 18:31:08 azure-app01 sudo: _fsservice : TTY=unknown ; PWD=/usr/local/forescout ; USER=root ; COMMAND=/bin/fstool fw status
+<86>Nov 22 18:31:11 azure-app01 sshd[27818]: Accepted publickey for root from 1.128.0.1 port 46124 ssh2: RSA SHA256:WokXPUll0YJnJwbfeK1xYfYR+DaVN2RVFEyK6lMW78c
+<38>Nov 22 18:31:11 azure-app01 systemd-logind: New session 14909 of user root.
+<86>Nov 22 18:31:11 azure-app01 sshd[27818]: pam_unix(sshd:session): session opened for user root by (uid=0)
+<85>Nov 22 18:31:12 azure-app01 sudo: _fsservice : TTY=pts/0 ; PWD=/usr/local/forescout ; USER=root ; COMMAND=/bin/fstool model
+<86>Nov 22 18:31:13 azure-app01 sshd[27818]: Received disconnect from 1.128.0.0 port 46124:11: disconnected by user
+<85>Nov 22 18:31:13 azure-app01 sudo: _fsservice : TTY=pts/0 ; PWD=/usr/local/forescout ; USER=root ; COMMAND=/bin/fstool serial
+<166>Nov 22 18:32:50 azure-app01 Forescout[2819]: Uptime 2234274 seconds
+<86>Nov 22 18:36:13 azure-app01 sshd[2965]: pam_unix(sshd:session): session closed for user root
+<38>Nov 22 18:36:13 azure-app01 systemd-logind: Removed session 14910.
+<30>Nov 22 18:36:13 azure-app01 systemd: Removed slice User Slice of root.
+<85>Nov 22 18:37:00 azure-em sudo: _fsservice : TTY=unknown ; PWD=/usr/local/forescout ; USER=root ; COMMAND=/bin/fstool lsif
+<85>Nov 22 18:37:26 azure-em sudo: _fsservice : TTY=unknown ; PWD=/usr/local/forescout ; USER=root ; COMMAND=/bin/fstool fw status
+<85>Nov 22 18:37:26 azure-em sudo: _fsservice : TTY=unknown ; PWD=/usr/local/forescout ; USER=root ; COMMAND=/bin/fstool netflowtool netflow_init_softflow
+<30>Nov 22 18:40:01 azure-em systemd: Created slice User Slice of root.
+<38>Nov 22 18:41:13 azure-app01 systemd-logind: Removed session 14913.
+<30>Nov 22 18:41:13 azure-app01 systemd: Removed slice User Slice of root.
@@ -0,0 +1,6 @@
+# newer versions go on top
+- version: '0.1.0'
+  changes:
+    - description: Initial release.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/16426
@@ -0,0 +1,3 @@
+fields:
+  tags:
+    - preserve_duplicate_custom_fields
@@ -0,0 +1,14 @@
+_fsservice : TTY=unknown ; PWD=/usr/local/forescout ; USER=root ; COMMAND=/bin/fstool netflowtool netflow_init_softflow
+_fsservice : TTY=unknown ; PWD=/usr/local/forescout ; USER=root ; COMMAND=/bin/fstool lsif
+Accepted publickey for root from 172.20.10.101 port 46018 ssh2: RSA SHA256:WokXPUll0YJnJwbAFK1xYfYR+DaVN2RVFEyK6lMW78c
+Created slice User Slice of root.
+New session 14906 of user root.
+pam_unix(sshd:session): session opened for user root by (uid=0)
+Received disconnect from 172.20.10.101 port 46018:11: disconnected by user
+_fsservice : TTY=unknown ; PWD=/usr/local/forescout ; USER=root ; COMMAND=/bin/fstool netflowtool netflow_init_softflow
+_fsservice : TTY=unknown ; PWD=/usr/local/forescout ; USER=root ; COMMAND=/bin/fstool fw status
+_fsservice : TTY=unknown ; PWD=/usr/local/forescout ; USER=root ; COMMAND=/bin/fstool cysiv-health-monitoring stats
+Started Session 35384 of user root.
+(root) CMD (/usr/lib64/sa/sa1 1 1)
+_fsservice : TTY=unknown ; PWD=/usr/local/forescout ; USER=root ; COMMAND=/bin/fstool cysiv-health-monitoring 5 172.20.10.101:0,172.20.10.102:6440432280227338598 \
+_fsservice : TTY=unknown ; PWD=/usr/local/forescout ; USER=root ; COMMAND=/bin/fstool lsif