Showing results for 
Search instead for 
Did you mean: 

Websense - Web Security Gateway - SYSLOG parsing rules

Dear community,

The default parsing rules available within the SIEM (up to 9.4.2) are outdated and may not work in all environments.

We have created custom ones to fit our needs (Websense 7.7.3), so just sharing here the details in case it can help someone else.

1. New custom fields

The following custom fields (types) have been created to store some information dedicated to Websense (so not using the default ones):

  •     WEBSENSE_Action, String, #1 (event custom field number),
  •     WEBSENSE_Appliance, IPv4, #2,
  •     WEBSENSE_Category, String, #7,
  •     WEBSENSE_ContentType, Random String, #23,
  •     WEBSENSE_DynCategory, Random String, #21,
  •     WEBSENSE_FileType, String, #10,
  •     WEBSENSE_Policy, String, #4,
  •     WEBSENSE_Protocol, String, #5,
  •     WEBSENSE_ScanReason, String, #22,
  •     WEBSENSE_UserAgent, String, #6.

2. Websense SYSLOG format string.

Websense has been configured to send SYSLOG data using the following format string:

<159>%<:%b %d %H:%M:%S> %<-sourceServer> vendor=Websense_TRITON action=%<dispositionNumber> action_summary=%<dispositionString> policy=%<_policyNames> category=%<categoryNumber> protocol=%<protocol> src_ip=%<source> src_port=%<clientSourcePort> dst_ip=%<destination> dst_port=%<port> dst_host=%<urlHost> url=%<url> file_type=%<fileTypeCode> file_name=%<fileName> bytes_out=%<bytesSent> bytes_in=%<bytesReceived> http_method=%<method> http_proxy_status_code=%<proxyStatusCode> http_content_type=%<_contentType> http_user_agent=%<_userAgent> scan_reason=%<scanReasonString> dynamic_category=%<-dynamicCategory> keyword=%<-keyword>

This correspond to the following fields:

  • %<-sourceServer>: appliance IP address
  • vendor=Websense_TRITON: just a tag for the parsing rule
  • action=%<dispositionNumber>: action taken (permitted or blocked)
  • action_summary=%<dispositionString>: action detail (ID number, will be mapped in the ASP rule)
  • policy=%<_policyNames>: policy name
  • category=%<categoryNumber>: category ID (will be mapped in the ASP rule)
  • protocol=%<protocol>: protocol NAME, not ID...
  • src_ip=%<source>: source IP
  • src_port=%<clientSourcePort>: source PORT
  • dst_ip=%<destination>:  destination IP
  • dst_port=%<port>: destination PORT
  • dst_host=%<urlHost>: domain (will be mapped to domain field)
  • url=%<url>: full URL
  • file_type=%<fileTypeCode>: file type ID (will be mapped in the ASP rule)
  • file_name=%<fileName>: file name (after the first /, and before any variable)
  • bytes_out=%<bytesSent>: bytes sent
  • bytes_in=%<bytesReceived>: bytes received
  • http_method=%<method>: method (GET, POST, etc)
  • http_proxy_status_code=%<proxyStatusCode>: status (200, 404, etc)
  • http_content_type=%<_contentType>: content type
  • http_user_agent=%<_userAgent>: user agent string
  • scan_reason=%<scanReasonString>: what has been detected by the content inspection process
  • dynamic_category=%<-dynamicCategory>: category ID (will be mapped in the ASP rule)
  • keyword=%<-keyword> keyword

Please refer to the Websense SIEM integration document (attached, "websense_SIEM_codes_NEW.pdf") for further details.

3. New custom parsing rules

I have created 2 new rules (and deactivated the default ones). Thanks to the last upgrade to 9.4.2, the ASP size limit has been extended and it now works perfectly!

See attached file "WEBSENSE_RuleExport_2014_12_11_15_37_30.xml".

The rules contains the last mappings for categories, dynamic categories, actions and file types.

  • The first one is triggered when action=blocked.
  • The second one when action=permitted.

Except for "method", "status code" and "keyword", all other fields are assigned to respective SIEM fields.

4 Replies
Level 10
Report Inappropriate Content
Message 2 of 5

Re: Websense - Web Security Gateway - SYSLOG parsing rules

Nice initiative sharing such information with community

Thank you !

Re: Websense - Web Security Gateway - SYSLOG parsing rules

Thank you it is very useful to share and appreciate you to share your experience with us.

Re: Websense - Web Security Gateway - SYSLOG parsing rules


Have you considered configuring the WebSense to use CEF ? It makes parsing their logs fairly easy.


Re: Websense - Web Security Gateway - SYSLOG parsing rules

Hi Rhinomike,

I didn't find it complicated 🙂

But anyway, I'm not using these rules anymore... I've found Websense TRITON is not able to send SYSLOG events for any access done via their cloud, so it becomes a bit useless to only have logs for internal traffic.

Therfore I have created a custom python script that queries the Websense MSSQL DB directly, and sends SYSLOG events to the collector.



More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator