Websense
Websense Web Security Gateway is a web proxy event source that will send logs to a SIEM.
Before You Begin
Before setting up this event source within InsightIDR, you must configure Websense to send syslog to the InsightIDR collector. You can find instructions here: http://www.websense.com/content/support/library/web/v80/triton_web_help/settings_siem_explain.aspx
Note that when configuring the syslog, select CEF as the log format.
Example Parseable Log Format
The following is an example log that InsightIDR can parse:
1Sep 18 07:45:58 10.20.26.80 vendor=Websense product=Security product_version=7.7.3 action=permitted severity=1 category=17 user=LDAP://adserver.ad.company OU=West Coast,OU=employees,DC=ad,DC=company/John Doe src_host=10.20.100.228 src_port=0 dst_host=72.21.215.232:443 dst_ip=72.21.215.232 dst_port=443 bytes_out=3301 bytes_in=5357 http_response=0 http_method=GET http_content_type=- http_user_agent=- http_proxy_status_code=0 reason=- disposition=1026 policy=role-8**Standard_Access role=8 duration=0 url=HTTPS://72.21.215.232:443
Example CEF Format
The following is an example of a parseable log in CEF format:
1Sep 18 05:48:53 10.30.26.80 CEF:0|Websense|Security|7.7.3|76|Transaction permitted|1| act=permitted app=http dvc=10.30.26.80 dst=206.190.60.138 dhost=l.yimg.com dpt=80 src=10.30.100.104 spt=0 suser=LDAP://adserver.ad.company OU\\=West Coast,OU\\=employees,DC\\=ad,DC\\=company/John Doe destinationTranslatedPort=0 rt=1379508533000 in=660 out=13281 requestMethod=GET requestClientApplication=- reason=- cs1Label=Policy cs1=role-8**Standard Access cs2Label=DynCat cs2=0 cs3Label=ContentType cs3=- cn1Label=DispositionCode cn1=1026 cn2Label=ScanDuration cn2=0 request=http://l.yimg.com/rd/combine/en-US/1379417477/vendor/rapid.js
Example LEEF Format
The following is an example of a parseable log in LEEF format:
1Sep 18 08:01:17 10.20.26.80 LEEF:1.0|Websense|Security|7.7.3|transaction:permitted|sev=1<009>cat=29<009>usrName=LDAP://adserver.ad.company OU=Branches,OU=employees,DC=ad,DC=company/John Doe<009>src=10.20.100.193<009>srcPort=0<009>srcBytes=954<009>dstBytes=1150<009>dst=68.67.151.15<009>dstPort=80<009>proxyStatus-code=0<009>serverStatus-code=0<009>duration=0<009>method=GET<009>disposition=1026<009>contentType=-<009>reason=-<009>policy=role-8**Standard Access<009>role=8<009>userAgent=-<009>url=http://ib.adnxs.com/seg?add\\=826953&t\\=2
How to Configure This Event Source
- From your dashboard, select Data Collection on the left hand menu.
- When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
- From the “Security Data” section, click the Web Proxy icon. The “Add Event Source” panel appears.
- Choose your collector and event source. You can also name your event source if you want.
- Optionally choose to send unparsed logs.
- Choose the timezone that matches the location of your event source logs.
- Select a collection method and specify a port and a protocol.
- Optionally choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
- Click Save.
Did this page help you?