The default parsing rules available within the SIEM (up to 9.4.2) are outdated and may not work in all environments.
We have created custom ones to fit our needs (Websense 7.7.3), so just sharing here the details in case it can help someone else.
1. New custom fields
The following custom fields (types) have been created to store some information dedicated to Websense (so not using the default ones):
2. Websense SYSLOG format string.
Websense has been configured to send SYSLOG data using the following format string:
<159>%<:%b %d %H:%M:%S> %<-sourceServer> vendor=Websense_TRITON action=%<dispositionNumber> action_summary=%<dispositionString> policy=%<_policyNames> category=%<categoryNumber> protocol=%<protocol> src_ip=%<source> src_port=%<clientSourcePort> dst_ip=%<destination> dst_port=%<port> dst_host=%<urlHost> url=%<url> file_type=%<fileTypeCode> file_name=%<fileName> bytes_out=%<bytesSent> bytes_in=%<bytesReceived> http_method=%<method> http_proxy_status_code=%<proxyStatusCode> http_content_type=%<_contentType> http_user_agent=%<_userAgent> scan_reason=%<scanReasonString> dynamic_category=%<-dynamicCategory> keyword=%<-keyword>
This correspond to the following fields:
Please refer to the Websense SIEM integration document (attached, "websense_SIEM_codes_NEW.pdf") for further details.
3. New custom parsing rules
I have created 2 new rules (and deactivated the default ones). Thanks to the last upgrade to 9.4.2, the ASP size limit has been extended and it now works perfectly!
See attached file "WEBSENSE_RuleExport_2014_12_11_15_37_30.xml".
The rules contains the last mappings for categories, dynamic categories, actions and file types.
Except for "method", "status code" and "keyword", all other fields are assigned to respective SIEM fields.
I didn't find it complicated :-)
But anyway, I'm not using these rules anymore... I've found Websense TRITON is not able to send SYSLOG events for any access done via their cloud, so it becomes a bit useless to only have logs for internal traffic.
Therfore I have created a custom python script that queries the Websense MSSQL DB directly, and sends SYSLOG events to the collector.