Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

Websense Web Filter

What is Discovered and Monitored

Protocol

Information discovered

Metrics collected

Used for

Syslog

Parsed event attributes: include Source IP, Destination Name, Destination URL, HTTP Method, HTTP User agent, HTTP Status Code, HTTP Content Type, Blocked Reason, Website category, HTTP Disposition, Sent Bytes, Recv Bytes, Duration, File Type etc

Security Monitoring and compliance

Event Types

In ADMIN > Device Support > Event Types, search for "websense_web" to see the event types associated with this device. 

Rules

There are no predefined rules for this device. 

Reports

There are no predefined reports for this device. 

Configuration

FortiSIEM integrates with Websense Web Filter via syslog sent in the SIEM integration format as described in the Websense SEIM guide. See the instructions on how to install a Websense Multiplexer that integrates with Websense Policy server and creates syslog for consumption by SIEM products such as FortiSIEM.

Sample Parsed Websense Web Filter Syslog Message

<159>Feb 28 14:25:32 10.203.28.21 vendor=Websense product=Security product_version=7.7.0 action=permitted severity=1 category=153 
user=- src_host=10.64.134.74 src_port=62189 dst_host=mail.google.com dst_ip=74.125.224.53 dst_port=443 bytes_out=197 bytes_in=76 
http_response=200 http_method=CONNECT http_content_type= - 
http_user_agent=Mozilla/5.0_(Windows;_U;_Windows_NT_6.1;_enUS;_rv:1.9.2.23)_Gecko/20110920_Firefox/3.6.23 
http_proxy_status_code=200 reason=- disposition=1034 policy=- role=8 duration=0 url=https://mail.google.com

Settings for Access Credentials

Set these Access Method Definition values to allow FortiSIEM to communicate with your device.

Setting Value
Name <set name>
Device Type Websense Web Security
Access Protocol JDBC
Log Server IP IP of the log server
Pull Interval 5 minutes
Port 1433
Log Database wslogdb70_1
URL Database wslogdb70
URL Category Database wslogdb70
Disposition Database wslogdb70
User Name Name used to access the database

Websense Web Filter

What is Discovered and Monitored

Protocol

Information discovered

Metrics collected

Used for

Syslog

Parsed event attributes: include Source IP, Destination Name, Destination URL, HTTP Method, HTTP User agent, HTTP Status Code, HTTP Content Type, Blocked Reason, Website category, HTTP Disposition, Sent Bytes, Recv Bytes, Duration, File Type etc

Security Monitoring and compliance

Event Types

In ADMIN > Device Support > Event Types, search for "websense_web" to see the event types associated with this device. 

Rules

There are no predefined rules for this device. 

Reports

There are no predefined reports for this device. 

Configuration

FortiSIEM integrates with Websense Web Filter via syslog sent in the SIEM integration format as described in the Websense SEIM guide. See the instructions on how to install a Websense Multiplexer that integrates with Websense Policy server and creates syslog for consumption by SIEM products such as FortiSIEM.

Sample Parsed Websense Web Filter Syslog Message

<159>Feb 28 14:25:32 10.203.28.21 vendor=Websense product=Security product_version=7.7.0 action=permitted severity=1 category=153 
user=- src_host=10.64.134.74 src_port=62189 dst_host=mail.google.com dst_ip=74.125.224.53 dst_port=443 bytes_out=197 bytes_in=76 
http_response=200 http_method=CONNECT http_content_type= - 
http_user_agent=Mozilla/5.0_(Windows;_U;_Windows_NT_6.1;_enUS;_rv:1.9.2.23)_Gecko/20110920_Firefox/3.6.23 
http_proxy_status_code=200 reason=- disposition=1034 policy=- role=8 duration=0 url=https://mail.google.com

Settings for Access Credentials

Set these Access Method Definition values to allow FortiSIEM to communicate with your device.

Setting Value
Name <set name>
Device Type Websense Web Security
Access Protocol JDBC
Log Server IP IP of the log server
Pull Interval 5 minutes
Port 1433
Log Database wslogdb70_1
URL Database wslogdb70
URL Category Database wslogdb70
Disposition Database wslogdb70
User Name Name used to access the database