4 Replies Latest reply on Mar 10, 2015 8:03 AM by julienb

    Websense - Web Security Gateway - SYSLOG parsing rules


      Dear community,


      The default parsing rules available within the SIEM (up to 9.4.2) are outdated and may not work in all environments.

      We have created custom ones to fit our needs (Websense 7.7.3), so just sharing here the details in case it can help someone else.


      1. New custom fields

      The following custom fields (types) have been created to store some information dedicated to Websense (so not using the default ones):

      •     WEBSENSE_Action, String, #1 (event custom field number),
      •     WEBSENSE_Appliance, IPv4, #2,
      •     WEBSENSE_Category, String, #7,
      •     WEBSENSE_ContentType, Random String, #23,
      •     WEBSENSE_DynCategory, Random String, #21,
      •     WEBSENSE_FileType, String, #10,
      •     WEBSENSE_Policy, String, #4,
      •     WEBSENSE_Protocol, String, #5,
      •     WEBSENSE_ScanReason, String, #22,
      •     WEBSENSE_UserAgent, String, #6.


      2. Websense SYSLOG format string.

      Websense has been configured to send SYSLOG data using the following format string:

      <159>%<:%b %d %H:%M:%S> %<-sourceServer> vendor=Websense_TRITON action=%<dispositionNumber> action_summary=%<dispositionString> policy=%<_policyNames> category=%<categoryNumber> protocol=%<protocol> src_ip=%<source> src_port=%<clientSourcePort> dst_ip=%<destination> dst_port=%<port> dst_host=%<urlHost> url=%<url> file_type=%<fileTypeCode> file_name=%<fileName> bytes_out=%<bytesSent> bytes_in=%<bytesReceived> http_method=%<method> http_proxy_status_code=%<proxyStatusCode> http_content_type=%<_contentType> http_user_agent=%<_userAgent> scan_reason=%<scanReasonString> dynamic_category=%<-dynamicCategory> keyword=%<-keyword>


      This correspond to the following fields:

      • %<-sourceServer>: appliance IP address
      • vendor=Websense_TRITON: just a tag for the parsing rule
      • action=%<dispositionNumber>: action taken (permitted or blocked)
      • action_summary=%<dispositionString>: action detail (ID number, will be mapped in the ASP rule)
      • policy=%<_policyNames>: policy name
      • category=%<categoryNumber>: category ID (will be mapped in the ASP rule)
      • protocol=%<protocol>: protocol NAME, not ID...
      • src_ip=%<source>: source IP
      • src_port=%<clientSourcePort>: source PORT
      • dst_ip=%<destination>:  destination IP
      • dst_port=%<port>: destination PORT
      • dst_host=%<urlHost>: domain (will be mapped to domain field)
      • url=%<url>: full URL
      • file_type=%<fileTypeCode>: file type ID (will be mapped in the ASP rule)
      • file_name=%<fileName>: file name (after the first /, and before any variable)
      • bytes_out=%<bytesSent>: bytes sent
      • bytes_in=%<bytesReceived>: bytes received
      • http_method=%<method>: method (GET, POST, etc)
      • http_proxy_status_code=%<proxyStatusCode>: status (200, 404, etc)
      • http_content_type=%<_contentType>: content type
      • http_user_agent=%<_userAgent>: user agent string
      • scan_reason=%<scanReasonString>: what has been detected by the content inspection process
      • dynamic_category=%<-dynamicCategory>: category ID (will be mapped in the ASP rule)
      • keyword=%<-keyword> keyword


      Please refer to the Websense SIEM integration document (attached, "websense_SIEM_codes_NEW.pdf") for further details.


      3. New custom parsing rules

      I have created 2 new rules (and deactivated the default ones). Thanks to the last upgrade to 9.4.2, the ASP size limit has been extended and it now works perfectly!

      See attached file "WEBSENSE_RuleExport_2014_12_11_15_37_30.xml".

      The rules contains the last mappings for categories, dynamic categories, actions and file types.

      • The first one is triggered when action=blocked.
      • The second one when action=permitted.


      Except for "method", "status code" and "keyword", all other fields are assigned to respective SIEM fields.