cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Websense - Web Security Gateway - SYSLOG parsing rules

Dear community,

The default parsing rules available within the SIEM (up to 9.4.2) are outdated and may not work in all environments.

We have created custom ones to fit our needs (Websense 7.7.3), so just sharing here the details in case it can help someone else.

1. New custom fields

The following custom fields (types) have been created to store some information dedicated to Websense (so not using the default ones):

  •     WEBSENSE_Action, String, #1 (event custom field number),
  •     WEBSENSE_Appliance, IPv4, #2,
  •     WEBSENSE_Category, String, #7,
  •     WEBSENSE_ContentType, Random String, #23,
  •     WEBSENSE_DynCategory, Random String, #21,
  •     WEBSENSE_FileType, String, #10,
  •     WEBSENSE_Policy, String, #4,
  •     WEBSENSE_Protocol, String, #5,
  •     WEBSENSE_ScanReason, String, #22,
  •     WEBSENSE_UserAgent, String, #6.

2. Websense SYSLOG format string.

Websense has been configured to send SYSLOG data using the following format string:

<159>%<:%b %d %H:%M:%S> %<-sourceServer> vendor=Websense_TRITON action=%<dispositionNumber> action_summary=%<dispositionString> policy=%<_policyNames> category=%<categoryNumber> protocol=%<protocol> src_ip=%<source> src_port=%<clientSourcePort> dst_ip=%<destination> dst_port=%<port> dst_host=%<urlHost> url=%<url> file_type=%<fileTypeCode> file_name=%<fileName> bytes_out=%<bytesSent> bytes_in=%<bytesReceived> http_method=%<method> http_proxy_status_code=%<proxyStatusCode> http_content_type=%<_contentType> http_user_agent=%<_userAgent> scan_reason=%<scanReasonString> dynamic_category=%<-dynamicCategory> keyword=%<-keyword>

This correspond to the following fields:

  • %<-sourceServer>: appliance IP address
  • vendor=Websense_TRITON: just a tag for the parsing rule
  • action=%<dispositionNumber>: action taken (permitted or blocked)
  • action_summary=%<dispositionString>: action detail (ID number, will be mapped in the ASP rule)
  • policy=%<_policyNames>: policy name
  • category=%<categoryNumber>: category ID (will be mapped in the ASP rule)
  • protocol=%<protocol>: protocol NAME, not ID...
  • src_ip=%<source>: source IP
  • src_port=%<clientSourcePort>: source PORT
  • dst_ip=%<destination>:  destination IP
  • dst_port=%<port>: destination PORT
  • dst_host=%<urlHost>: domain (will be mapped to domain field)
  • url=%<url>: full URL
  • file_type=%<fileTypeCode>: file type ID (will be mapped in the ASP rule)
  • file_name=%<fileName>: file name (after the first /, and before any variable)
  • bytes_out=%<bytesSent>: bytes sent
  • bytes_in=%<bytesReceived>: bytes received
  • http_method=%<method>: method (GET, POST, etc)
  • http_proxy_status_code=%<proxyStatusCode>: status (200, 404, etc)
  • http_content_type=%<_contentType>: content type
  • http_user_agent=%<_userAgent>: user agent string
  • scan_reason=%<scanReasonString>: what has been detected by the content inspection process
  • dynamic_category=%<-dynamicCategory>: category ID (will be mapped in the ASP rule)
  • keyword=%<-keyword> keyword

Please refer to the Websense SIEM integration document (attached, "websense_SIEM_codes_NEW.pdf") for further details.

3. New custom parsing rules

I have created 2 new rules (and deactivated the default ones). Thanks to the last upgrade to 9.4.2, the ASP size limit has been extended and it now works perfectly!

See attached file "WEBSENSE_RuleExport_2014_12_11_15_37_30.xml".


The rules contains the last mappings for categories, dynamic categories, actions and file types.

  • The first one is triggered when action=blocked.
  • The second one when action=permitted.

Except for "method", "status code" and "keyword", all other fields are assigned to respective SIEM fields.

4 Replies
Highlighted
Level 10
Report Inappropriate Content
Message 2 of 5

Re: Websense - Web Security Gateway - SYSLOG parsing rules

Nice initiative sharing such information with community

Thank you !

Highlighted

Re: Websense - Web Security Gateway - SYSLOG parsing rules

Thank you it is very useful to share and appreciate you to share your experience with us.

Highlighted

Re: Websense - Web Security Gateway - SYSLOG parsing rules

,

Have you considered configuring the WebSense to use CEF ? It makes parsing their logs fairly easy.

Cheers

Highlighted

Re: Websense - Web Security Gateway - SYSLOG parsing rules

Hi Rhinomike,

I didn't find it complicated 🙂

But anyway, I'm not using these rules anymore... I've found Websense TRITON is not able to send SYSLOG events for any access done via their cloud, so it becomes a bit useless to only have logs for internal traffic.

Therfore I have created a custom python script that queries the Websense MSSQL DB directly, and sends SYSLOG events to the collector.

--

Julien

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community