cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 4

websense syslog

Hi,

Is there a way to get Websense logs using syslogs? Default way is to use MsSQL db of Websense but anyway to use syslog?

Syslog messages are being sent to us and I have configured it like:

websense_siem_syslog.png

But I get following logs which are not parsed

websense2.png

3 Replies
artek
Level 11
Report Inappropriate Content
Message 2 of 4

Re: websense syslog

Hi Omerfsen,

lastly I had similar problem with the ISA logs, prepared by customer - it was not recognized because format of thar events was different than the format expected by the ESM.

If you do not know, what is wrong, you can try to saw what is wrong in the Websense's policy rules in the following way:

1. Create the Data Source in the ESM.

2. Chose configured Data Source on the devices tree (Phisical Display).

3. Go to the Policy Editor:

ESM11.PNG

4. Copy and paste the Websense's ASP rules and...

ESM12.PNG

5. Try to understand the regex, and eventually - modify it.

6. Remember about possibility to paste the sample logs.

ESM13.PNG

7. And remember about webpage http://gskinner.com/RegExr/ where you can try to write working regex.

Regards,

Artur Sadownik

Former Member
Not applicable
Report Inappropriate Content
Message 3 of 4

Re: websense syslog

Hi ,

It seems log file is completely different. Websense Web Security v 7.7

<159>Feb 26 09:21:31 10.10.11.221 vendor=Websense product=Security product_version=7.7.0 action=permitted severity=1 category=76 user=LDAP://10.10.AA.BB OU=PIMIM_,OU=Internal,DC=aaa,DC=com,DC=tr/Test USer src_host=10.10.XX.YY src_port=57233 dst_host=www.google.com.tr dst_ip=173.194.39.215 dst_port=80 bytes_out=688 bytes_in=14265 http_response=200 http_method=GET http_content_type=text/javascript;_charset=UTF-8 http_user_agent=Mozilla/4.0_(compatible;_MSIE_8.0;_Windows_NT_6.1;_Trident/4.0;_SLCC2;_.NET_CLR_2.0.50727;_.NET_CLR_3.5.30729;_.NET_CLR_3.0.30729;_Media_Center_PC_6.0;_CMDTDF;_.NET4.0C;_.NET4.0E;_Tablet_PC_2.0) http_proxy_status_code=200 reason=- disposition=1026 policy=role-8**MKK_Policy role=8 duration=0 url=http://www.google.com.tr/extern_chrome/99da7e061854e9d7.js?bav=on.2,or.r_gc.r_pw.r_qf.

And using Syslog Autolearn this is recognized as Zenprise SMG Event but this is clearly not.

Rule Name: Zenprise_SMG Event

Signature ID: 1036170

Normalization Name: User Account

Signature: any any any -> any any (msg:"Zenprise_SMG Event";content:"="; fmt@firsttime:"%b%t%d%t%H:%M:%S"; fmt@lasttime:"%b%t%d%t%H:%M:%S"; map@action:"allow"="1","deny"="2"; pcre:"(\w+\s+\d{2}\s+(?:\d{2}\x3a){2}\d{2})\s+((?:\d{1,3}\x2e){3}\d{1,3})"; pcre:"agent\x3d(\S+)"; pcre:"host\x3d(\S+)"; pcre:"action\x3d(\S+)"; pcre:"user\x3d([^\x5c]+)\x5c\S+"; pcre:"user\x3d[^\x5c]+\x5c(\S+)"; pcre:"deviceid\x3d(\S+)"; pcre:"cmd\x3d(\S+)"; pcre:"cmd\x3d(\S+)"; pcre:"group\x3d(\S+)"; pcre:"ip\x3d((?:\d{1,3}\x2e){3}\d{1,3})"; raw; var:User_Agent.User_Agent=${2:1}; var:firsttime=${1:1}; var:lasttime=${1:2}; var:hostname=${3:1}; var:action=${4:1}; var:domainname=${5:1}; var:src_username=${6:1}; var:objectname=${7:1}; var:commandname=${8:1}; var:sigdesc=${9:1}; var:application=${10:1}; var:src_ip=${11:1}; adsid:430; sid:612081505; norm:0; severity:0; )

and now I think we i must open a ticket for a new ASP rule

Former Member
Not applicable
Report Inappropriate Content
Message 4 of 4

Re: websense syslog

And from Websense product documentation (It seems qradar and Arcsight are supported natively)

Enabling and configuring SIEM integration

After you install or enable Websense Multiplexer, log on to TRITON - Web Security

to activate and configure SIEM integration.

Perform this procedure for each Policy Server instance in your deployment.

1. Navigate to Settings > General > SIEM Integrationand select Enable SIEM

integration for this Policy Server.

2. Provide the IP address or hostnameof the machine hosting the SIEM product.

Then, provide the communication Portto use for sending SIEM data.

3. Specify the Transport protocol(UDP or TCP) to use when sending data to the

SIEM product.

4. Select the SIEM formatto use. This determines the syntax of the string used to

pass log data to the integration.

 The available formats are syslog/CEF (Arcsight), syslog/key-value pairs

(Splunk and others), syslog/LEEF (QRadar), and Custom.

 If you select Custom, a text box is displayed. Enter or paste the string that you

want to use. Click View SIEM format stringsfor a set of sample strings to

use as a reference or template.

 If you select a non-custom option, a sample Format stringshowing fields

and value keys is displayed.

See Working with SIEM integration format strings (v7.7), page 26,for more

information about format strings and the data included in records sent to the

integration.

5. Click OKto cache your changes. Changes are not implemented until you click

Save and Deploy.

After the changes have been saved, Websense Multiplexer connects to Filtering

Service and distributes the log data to both Log Server and the selected SIEM

integration.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community