Flex Connector Websense WSG 7.5 full logs

1 Likes
over 10 years ago

ID-Based Database Flex connector to consume Websense logs from a MS SQL Server database

Notes:

  • The database account that you run the connector with must have db_datareader on all partitions of the websense database.  Default name is wslogdb70.  Partitions are wslogdb70_1, and so on.
  • The database account must have execute rights on the dbo.inttoip function

Updated 10/17/2011:

* Now puts full category instead of just parent category for site category

* Fixed issue where arcSight was doing reverse DNS lookup up destination IP  instead of using destination url.

Comment List
Anonymous
  • Hi we have 2 websense manager and both are storing the logs in 2 different sql DB. I can able to pull the logs using a flex connector from one DB, But from the other DB we are facing issues.

    Error in wrapper is

    INFO   | jvm 7| 2013/06/18 17:27:39 | [Tue Jun 18 17:27:39 IST 2013] [WARN ] Cache files were found for cache [3ieIHVz8BABDLKfW+HrWtXA==.m1] but the cache size is missing or is negative. Scanning Cache now, this may take a while...(to avoid this step and use the cache size [0] set the property [eventcache.scanforsize] to 'false')INFO   | jvm 7| 2013/06/18 17:27:39 | [Tue Jun 18 17:27:39 IST 2013] [INFO ] Cache size [0]. Scanned in [0] ms.INFO   | jvm 7| 2013/06/18 17:27:39 | [Tue Jun 18 17:27:39 IST 2013] [INFO ] HTTP Compression enabled.INFO   | jvm 7| 2013/06/18 17:27:39 | [Tue Jun 18 17:27:39 IST 2013] [INFO ] Database version [1.0] detected.INFO   | jvm 7| 2013/06/18 17:27:39 | [Tue Jun 18 17:27:39 IST 2013] [INFO ] Querying the database [jdbc:odbc:websense] to find out last id written

    and error in agent.log is

    [2013-06-18 16:57:12,349][INFO ][default.com.arcsight.agent.loadable.flexagent._FlexIdBasedDatabaseAgent][detectDatabaseVersion] Database version [1.0] detected.

    [2013-06-18 16:57:12,365][WARN ][default.com.arcsight.agent.xb.d][load] Neither [ps.FAD670E0FA72EDBB7F60C1974E66EFEE9989AA7E.3ieIHVz8BABDLKfW+HrWtXA==.0] nor [ps.FAD670E0FA72EDBB7F60C1974E66EFEE9989AA7E.3ieIHVz8BABDLKfW+HrWtXA==.1] exist. Unable to load persisted value

    [2013-06-18 16:57:12,365][INFO ][default.com.arcsight.agent.loadable.flexagent._FlexIdBasedDatabaseAgent][getLastRecordId] Querying the database [jdbc:odbc:websense] to find out last id written

    [2013-06-18 16:57:12,412][INFO ][default.com.arcsight.agent.loadable.flexagent._FlexIdBasedDatabaseAgent][getConnection] Current password set as original one for [jdbc:odbc:websense]

    Please help us to fix this.


  • Hi we have 2 websense manager and both are storing the logs in 2 different sql DB. I can able to pull the logs using a flex connector from one DB, But from the other DB we are facing issues.

    Error in wrapper is

    INFO   | jvm 7| 2013/06/18 17:27:39 | [Tue Jun 18 17:27:39 IST 2013] [WARN ] Cache files were found for cache [3ieIHVz8BABDLKfW+HrWtXA==.m1] but the cache size is missing or is negative. Scanning Cache now, this may take a while...(to avoid this step and use the cache size [0] set the property [eventcache.scanforsize] to 'false')INFO   | jvm 7| 2013/06/18 17:27:39 | [Tue Jun 18 17:27:39 IST 2013] [INFO ] Cache size [0]. Scanned in [0] ms.INFO   | jvm 7| 2013/06/18 17:27:39 | [Tue Jun 18 17:27:39 IST 2013] [INFO ] HTTP Compression enabled.INFO   | jvm 7| 2013/06/18 17:27:39 | [Tue Jun 18 17:27:39 IST 2013] [INFO ] Database version [1.0] detected.INFO   | jvm 7| 2013/06/18 17:27:39 | [Tue Jun 18 17:27:39 IST 2013] [INFO ] Querying the database [jdbc:odbc:websense] to find out last id written

    and error in agent.log is

    [2013-06-18 16:57:12,349][INFO ][default.com.arcsight.agent.loadable.flexagent._FlexIdBasedDatabaseAgent][detectDatabaseVersion] Database version [1.0] detected.

    [2013-06-18 16:57:12,365][WARN ][default.com.arcsight.agent.xb.d][load] Neither [ps.FAD670E0FA72EDBB7F60C1974E66EFEE9989AA7E.3ieIHVz8BABDLKfW+HrWtXA==.0] nor [ps.FAD670E0FA72EDBB7F60C1974E66EFEE9989AA7E.3ieIHVz8BABDLKfW+HrWtXA==.1] exist. Unable to load persisted value

    [2013-06-18 16:57:12,365][INFO ][default.com.arcsight.agent.loadable.flexagent._FlexIdBasedDatabaseAgent][getLastRecordId] Querying the database [jdbc:odbc:websense] to find out last id written

    [2013-06-18 16:57:12,412][INFO ][default.com.arcsight.agent.loadable.flexagent._FlexIdBasedDatabaseAgent][getConnection] Current password set as original one for [jdbc:odbc:websense]


  • Hi Chad,

    You have to go to Databases->System Databases->model->Security->Users, right click on the user you use to collect events and select in the section Database role memberschip the db_datareader role.

    Cristian

  • Thanks for this, it's been working great.  Do you know of a way to automatically add "db_datareader" to each partition as it is created?  Right now, logging breaks when a new partition is created, and then I have to manually go in and add the role.

  • Try changing the version line in the .properties file to the version of sql you are using.

    If you're on a connector appliance, don't forget to apply the correct jdbc driver for sql server.

  • I have tried using this file to pull websense logs  using id based flexconnector .After doing test database connection successfully ,it gives unable to detect database version while verifying database schema.

  • We don't use browse time.  However, looking at the views in the Websense database, it appears taht there is a view called "TREND_BROWSE_TIME" with columns Start_Date, LAST_START_TIME, BROWSE_TIME and USER_ID.

    I imagine that you could figure out a way to pull that into ArcSight, but it might have to be a separate connector.

  • Thanks Lora, the flex file it's working also on the latest version of Websense WSG 7.6

    Have you succeded in taking from the database also the browse time?

    Regards

    Cristian

  • Thank you for sharing this - much appreciated!

Related Discussions
Recommended