Splunk® Supported Add-ons

Splunk Add-on for Forcepoint Web Security

Configure Forcepoint Web Security to send syslog data

For the Splunk Add-on for Forcepoint Web Security to collect data from Forcepoint Web Security, you must configure the Web Security Manager to send events using syslog in the syslog/key-value pairs format to the data collection node of your Splunk platform installation. For more information on configuring syslog, see the "Enabling and configuring SIEM integration" section on page 24 of Websense Security Information Event Management (SIEM) Solutions at http://www.websense.com/content/support/library/web/v76/siem/siem.pdf.

The Splunk Add-on for Forcepoint Web Security supports the following keys:

Number Key Description
1 bytesReceived Bytes received in response to the request
2 bytesSent Bytes sent as part of the request
3 categoryNumber Integer representing the category assigned to the URL
4 categoryReasonCode The reason the URL was assigned to the listed category
5 clientDestinationPort Destination port of client connection; e.g., 8080 with Content Gateway explicit proxy
6 clientSourcePort Source port of the client connection
7 contentStripped When Content Gateway content stripping is enabled, a threebit map of the content that was removed:
  • Bit 0 indicates ActiveX
  • Bit 1 indicates JavaScript
  • Bit 2 indicates VBScript

For example, "000" indicates that not content was stripped. On the other hand, "111" indicates that ActiveX, JavaScript, and VBScript data was stripped.

8 contentType The Content Type value from the request header (for example, image/gif)
9 destination Translated IPv4 or v6 address of the destination machine (resolved by DNS from the requested URL).
10 dispositionNumber The numeric code associated with the action (e.g., category permitted, file type blocked) applied to the request
11 dispositionString Permitted or Blocked, based on the value of dispositionNumber
12 DSSexternalIncidentID The Data Security ID number associated with an incident in the forensics repository
13 DSStimeStamp The Data Security timestamp for the forensic data
14 dynamicCategory If non-zero, the category determined by real-time content analysis (e.g., Real-Time Security Scanning, Advanced File Analysis, etc.)
15 fileName The name of the file associated with the request
16 fileTypeCode The file type associated with the request
17 keyword Keyword used to block a request. Empty if the request was not blocked by keyword.
18 lookupDuration How long it took to look up category or protocol information in the Master Database (milliseconds)
19 method Method associated with the request (for example, GET, POST, PUT, and so on)
20 networkDirection Inbound (0) or outbound (1)
21 policyNames The name of the policy or policies that could be applied to the request. (Multiple policies may be found, for example, for a user who belongs to multiple groups.)
22 port Integer representing the TCP port of the origin server
23 productVersion Web Security product version, as determined by Websense Multiplexer
24 protocol The protocol name (custom or defined in the Master Database)
25 protocolId Signed protocol identifier. A negative number indicates a custom protocol.
26 protocolVersion HTTP Version (Byte.Byte)
27 proxySourceAddress The IP address of the proxy
28 proxySourcePort Source port of proxy-server connection
29 ProxyStatusCode Proxy HTTP response code
30 roleId A number associated with the delegated administration role in which the policy applied to the request was created. The identifier for the Super Administrator role is 8.
31 scanDuration If Content Gateway analysis was performed, how long it took (milliseconds)
32 scan ReasonString Scanning analytic result, if any; the string might look like: 0-1404-Threat.Malicious.Web.RealTime.
33 severity 1 if permitted, 7 if blocked This severity entry does not relate to the severity levels assigned to incidents that appear on the Threats dashboard in the Web Security manager
34 serverStatusCode Origin server HTTP response code
35 source IPv4 or v6 address of the client (requesting) machine
36 sourceServer IP address (in integer format) of the server that originated the message, either Content Gateway or Network Agent
37 time A positive, long number representing the number of seconds since midnight Jan. 1, 1970
38 url Full requested URL. Does not include protocol or port.
39 urlHost Host (domain) portion of the requested URL
40 userAgent Contents of the User-Agent HTTP header, if present
41 userPath Contains NameSpace, Domain, and UserName information for the user to whom the policy was applied.

Next, configure your data collection node to receive data from Forcepoint Web Security as described in Configure inputs for the Splunk Add-on for Forcepoint Web Security.

Last modified on 21 July, 2021
Install the Splunk Add-on for Forcepoint Web Security   Configure inputs for the Splunk Add-on for Forcepoint Web Security

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters