Configure Forcepoint Web Security to send syslog data
For the Splunk Add-on for Forcepoint Web Security to collect data from Forcepoint Web Security, you must configure the Web Security Manager to send events using syslog in the syslog/key-value pairs format to the data collection node of your Splunk platform installation. For more information on configuring syslog, see the "Enabling and configuring SIEM integration" section on page 24 of Websense Security Information Event Management (SIEM) Solutions at http://www.websense.com/content/support/library/web/v76/siem/siem.pdf.
The Splunk Add-on for Forcepoint Web Security supports the following keys:
Number | Key | Description |
---|---|---|
1 | bytesReceived | Bytes received in response to the request |
2 | bytesSent | Bytes sent as part of the request |
3 | categoryNumber | Integer representing the category assigned to the URL |
4 | categoryReasonCode | The reason the URL was assigned to the listed category |
5 | clientDestinationPort | Destination port of client connection; e.g., 8080 with Content Gateway explicit proxy |
6 | clientSourcePort | Source port of the client connection |
7 | contentStripped | When Content Gateway content stripping is enabled, a threebit map of the content that was removed:
For example, "000" indicates that not content was stripped. On the other hand, "111" indicates that ActiveX, JavaScript, and VBScript data was stripped. |
8 | contentType | The Content Type value from the request header (for example, image/gif) |
9 | destination | Translated IPv4 or v6 address of the destination machine (resolved by DNS from the requested URL). |
10 | dispositionNumber | The numeric code associated with the action (e.g., category permitted, file type blocked) applied to the request |
11 | dispositionString | Permitted or Blocked, based on the value of dispositionNumber |
12 | DSSexternalIncidentID | The Data Security ID number associated with an incident in the forensics repository |
13 | DSStimeStamp | The Data Security timestamp for the forensic data |
14 | dynamicCategory | If non-zero, the category determined by real-time content analysis (e.g., Real-Time Security Scanning, Advanced File Analysis, etc.) |
15 | fileName | The name of the file associated with the request |
16 | fileTypeCode | The file type associated with the request |
17 | keyword | Keyword used to block a request. Empty if the request was not blocked by keyword. |
18 | lookupDuration | How long it took to look up category or protocol information in the Master Database (milliseconds) |
19 | method | Method associated with the request (for example, GET, POST, PUT, and so on) |
20 | networkDirection | Inbound (0) or outbound (1) |
21 | policyNames | The name of the policy or policies that could be applied to the request. (Multiple policies may be found, for example, for a user who belongs to multiple groups.) |
22 | port | Integer representing the TCP port of the origin server |
23 | productVersion | Web Security product version, as determined by Websense Multiplexer |
24 | protocol | The protocol name (custom or defined in the Master Database) |
25 | protocolId | Signed protocol identifier. A negative number indicates a custom protocol. |
26 | protocolVersion | HTTP Version (Byte.Byte) |
27 | proxySourceAddress | The IP address of the proxy |
28 | proxySourcePort | Source port of proxy-server connection |
29 | ProxyStatusCode | Proxy HTTP response code |
30 | roleId | A number associated with the delegated administration role in which the policy applied to the request was created. The identifier for the Super Administrator role is 8. |
31 | scanDuration | If Content Gateway analysis was performed, how long it took (milliseconds) |
32 | scan ReasonString | Scanning analytic result, if any; the string might look like: 0-1404-Threat.Malicious.Web.RealTime. |
33 | severity | 1 if permitted, 7 if blocked This severity entry does not relate to the severity levels assigned to incidents that appear on the Threats dashboard in the Web Security manager |
34 | serverStatusCode | Origin server HTTP response code |
35 | source | IPv4 or v6 address of the client (requesting) machine |
36 | sourceServer | IP address (in integer format) of the server that originated the message, either Content Gateway or Network Agent |
37 | time | A positive, long number representing the number of seconds since midnight Jan. 1, 1970 |
38 | url | Full requested URL. Does not include protocol or port. |
39 | urlHost | Host (domain) portion of the requested URL |
40 | userAgent | Contents of the User-Agent HTTP header, if present |
41 | userPath | Contains NameSpace, Domain, and UserName information for the user to whom the policy was applied. |
Next, configure your data collection node to receive data from Forcepoint Web Security as described in Configure inputs for the Splunk Add-on for Forcepoint Web Security.
Install the Splunk Add-on for Forcepoint Web Security | Configure inputs for the Splunk Add-on for Forcepoint Web Security |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!