3 Replies Latest reply on Feb 26, 2013 3:47 AM by omerfsen

    websense syslog

      Hi,

       

      Is there a way to get Websense logs using syslogs? Default way is to use MsSQL db of Websense but anyway to use syslog?

       

      Syslog messages are being sent to us and I have configured it like:

       

      websense_siem_syslog.png

       

      But I get following logs which are not parsed

       

       

       

      websense2.png

        • 1. Re: websense syslog
          artek

          Hi Omerfsen,

           

          lastly I had similar problem with the ISA logs, prepared by customer - it was not recognized because format of thar events was different than the format expected by the ESM.

           

          If you do not know, what is wrong, you can try to saw what is wrong in the Websense's policy rules in the following way:

          1. Create the Data Source in the ESM.

          2. Chose configured Data Source on the devices tree (Phisical Display).

          3. Go to the Policy Editor:

           

          ESM11.PNG

           

          4. Copy and paste the Websense's ASP rules and...

           

          ESM12.PNG

          5. Try to understand the regex, and eventually - modify it.

          6. Remember about possibility to paste the sample logs.

           

          ESM13.PNG

           

          7. And remember about webpage http://gskinner.com/RegExr/ where you can try to write working regex.

           

          Regards,

          Artur Sadownik

          • 2. Re: websense syslog

            Hi ,

             

            It seems log file is completely different. Websense Web Security v 7.7

             

            <159>Feb 26 09:21:31 10.10.11.221 vendor=Websense product=Security product_version=7.7.0 action=permitted severity=1 category=76 user=LDAP://10.10.AA.BB OU=PIMIM_,OU=Internal,DC=aaa,DC=com,DC=tr/Test USer src_host=10.10.XX.YY src_port=57233 dst_host=www.google.com.tr dst_ip=173.194.39.215 dst_port=80 bytes_out=688 bytes_in=14265 http_response=200 http_method=GET http_content_type=text/javascript;_charset=UTF-8 http_user_agent=Mozilla/4.0_(compatible;_MSIE_8.0;_Windows_NT_6.1;_Trident/4.0; _SLCC2;_.NET_CLR_2.0.50727;_.NET_CLR_3.5.30729;_.NET_CLR_3.0.30729;_Media_Center _PC_6.0;_CMDTDF;_.NET4.0C;_.NET4.0E;_Tablet_PC_2.0) http_proxy_status_code=200 reason=- disposition=1026 policy=role-8**MKK_Policy role=8 duration=0 url=http://www.google.com.tr/extern_chrome/99da7e061854e9d7.js?bav=on.2,or.r_gc.r_pw .r_qf.

             

            And using Syslog Autolearn this is recognized as Zenprise SMG Event but this is clearly not.

             

             

            Rule Name: Zenprise_SMG Event

            Signature ID: 1036170

            Normalization Name: User Account

             

            Signature: any any any -> any any (msg:"Zenprise_SMG Event";content:"="; fmt@firsttime:"%b%t%d%t%H:%M:%S"; fmt@lasttime:"%b%t%d%t%H:%M:%S"; map@action:"allow"="1","deny"="2"; pcre:"(\w+\s+\d{2}\s+(?:\d{2}\x3a){2}\d{2})\s+((?:\d{1,3}\x2e){3}\d{1,3})"; pcre:"agent\x3d(\S+)"; pcre:"host\x3d(\S+)"; pcre:"action\x3d(\S+)"; pcre:"user\x3d([^\x5c]+)\x5c\S+"; pcre:"user\x3d[^\x5c]+\x5c(\S+)"; pcre:"deviceid\x3d(\S+)"; pcre:"cmd\x3d(\S+)"; pcre:"cmd\x3d(\S+)"; pcre:"group\x3d(\S+)"; pcre:"ip\x3d((?:\d{1,3}\x2e){3}\d{1,3})"; raw; var:User_Agent.User_Agent=${2:1}; var:firsttime=${1:1}; var:lasttime=${1:2}; var:hostname=${3:1}; var:action=${4:1}; var:domainname=${5:1}; var:src_username=${6:1}; var:objectname=${7:1}; var:commandname=${8:1}; var:sigdesc=${9:1}; var:application=${10:1}; var:src_ip=${11:1}; adsid:430; sid:612081505; norm:0; severity:0; )

             

             

            and now I think we i must open a ticket for a new ASP rule

            • 3. Re: websense syslog

              And from Websense product documentation (It seems qradar and Arcsight are supported natively)

               

               

              Enabling and configuring SIEM integration

              After you install or enable Websense Multiplexer, log on to TRITON - Web Security

              to activate and configure SIEM integration.

              Perform this procedure for each Policy Server instance in your deployment.

              1. Navigate to Settings > General > SIEM Integrationand select Enable SIEM

              integration for this Policy Server.

              2. Provide the IP address or hostnameof the machine hosting the SIEM product.

              Then, provide the communication Portto use for sending SIEM data.

              3. Specify the Transport protocol(UDP or TCP) to use when sending data to the

              SIEM product.

              4. Select the SIEM formatto use. This determines the syntax of the string used to

              pass log data to the integration.

               The available formats are syslog/CEF (Arcsight), syslog/key-value pairs

              (Splunk and others), syslog/LEEF (QRadar), and Custom.

               If you select Custom, a text box is displayed. Enter or paste the string that you

              want to use. Click View SIEM format stringsfor a set of sample strings to

              use as a reference or template.

               If you select a non-custom option, a sample Format stringshowing fields

              and value keys is displayed.

              See Working with SIEM integration format strings (v7.7), page 26,for more

              information about format strings and the data included in records sent to the

              integration.

              5. Click OKto cache your changes. Changes are not implemented until you click

              Save and Deploy.

              After the changes have been saved, Websense Multiplexer connects to Filtering

              Service and distributes the log data to both Log Server and the selected SIEM

              integration.