Flex Connector Websense WSG 7.5 full logs

1 Likes

ID-Based Database Flex connector to consume Websense logs from a MS SQL Server database

Notes:

  • The database account that you run the connector with must have db_datareader on all partitions of the websense database.  Default name is wslogdb70.  Partitions are wslogdb70_1, and so on.
  • The database account must have execute rights on the dbo.inttoip function

Updated 10/17/2011:

* Now puts full category instead of just parent category for site category

* Fixed issue where arcSight was doing reverse DNS lookup up destination IP  instead of using destination url.

Comment List
  • Hi we have 2 websense manager and both are storing the logs in 2 different sql DB. I can able to pull the logs using a flex connector from one DB, But from the other DB we are facing issues.

    Error in wrapper is

    INFO   | jvm 7| 2013/06/18 17:27:39 | [Tue Jun 18 17:27:39 IST 2013] [WARN ] Cache files were found for cache [3ieIHVz8BABDLKfW+HrWtXA==.m1] but the cache size is missing or is negative. Scanning Cache now, this may take a while...(to avoid this step and use the cache size [0] set the property [eventcache.scanforsize] to 'false')INFO   | jvm 7| 2013/06/18 17:27:39 | [Tue Jun 18 17:27:39 IST 2013] [INFO ] Cache size [0]. Scanned in [0] ms.INFO   | jvm 7| 2013/06/18 17:27:39 | [Tue Jun 18 17:27:39 IST 2013] [INFO ] HTTP Compression enabled.INFO   | jvm 7| 2013/06/18 17:27:39 | [Tue Jun 18 17:27:39 IST 2013] [INFO ] Database version [1.0] detected.INFO   | jvm 7| 2013/06/18 17:27:39 | [Tue Jun 18 17:27:39 IST 2013] [INFO ] Querying the database [jdbc:odbc:websense] to find out last id written

    and error in agent.log is

    [2013-06-18 16:57:12,349][INFO ][default.com.arcsight.agent.loadable.flexagent._FlexIdBasedDatabaseAgent][detectDatabaseVersion] Database version [1.0] detected.

    [2013-06-18 16:57:12,365][WARN ][default.com.arcsight.agent.xb.d][load] Neither [ps.FAD670E0FA72EDBB7F60C1974E66EFEE9989AA7E.3ieIHVz8BABDLKfW+HrWtXA==.0] nor [ps.FAD670E0FA72EDBB7F60C1974E66EFEE9989AA7E.3ieIHVz8BABDLKfW+HrWtXA==.1] exist. Unable to load persisted value

    [2013-06-18 16:57:12,365][INFO ][default.com.arcsight.agent.loadable.flexagent._FlexIdBasedDatabaseAgent][getLastRecordId] Querying the database [jdbc:odbc:websense] to find out last id written

    [2013-06-18 16:57:12,412][INFO ][default.com.arcsight.agent.loadable.flexagent._FlexIdBasedDatabaseAgent][getConnection] Current password set as original one for [jdbc:odbc:websense]

    Please help us to fix this.


  • Hi we have 2 websense manager and both are storing the logs in 2 different sql DB. I can able to pull the logs using a flex connector from one DB, But from the other DB we are facing issues.

    Error in wrapper is

    INFO   | jvm 7| 2013/06/18 17:27:39 | [Tue Jun 18 17:27:39 IST 2013] [WARN ] Cache files were found for cache [3ieIHVz8BABDLKfW+HrWtXA==.m1] but the cache size is missing or is negative. Scanning Cache now, this may take a while...(to avoid this step and use the cache size [0] set the property [eventcache.scanforsize] to 'false')INFO   | jvm 7| 2013/06/18 17:27:39 | [Tue Jun 18 17:27:39 IST 2013] [INFO ] Cache size [0]. Scanned in [0] ms.INFO   | jvm 7| 2013/06/18 17:27:39 | [Tue Jun 18 17:27:39 IST 2013] [INFO ] HTTP Compression enabled.INFO   | jvm 7| 2013/06/18 17:27:39 | [Tue Jun 18 17:27:39 IST 2013] [INFO ] Database version [1.0] detected.INFO   | jvm 7| 2013/06/18 17:27:39 | [Tue Jun 18 17:27:39 IST 2013] [INFO ] Querying the database [jdbc:odbc:websense] to find out last id written

    and error in agent.log is

    [2013-06-18 16:57:12,349][INFO ][default.com.arcsight.agent.loadable.flexagent._FlexIdBasedDatabaseAgent][detectDatabaseVersion] Database version [1.0] detected.

    [2013-06-18 16:57:12,365][WARN ][default.com.arcsight.agent.xb.d][load] Neither [ps.FAD670E0FA72EDBB7F60C1974E66EFEE9989AA7E.3ieIHVz8BABDLKfW+HrWtXA==.0] nor [ps.FAD670E0FA72EDBB7F60C1974E66EFEE9989AA7E.3ieIHVz8BABDLKfW+HrWtXA==.1] exist. Unable to load persisted value

    [2013-06-18 16:57:12,365][INFO ][default.com.arcsight.agent.loadable.flexagent._FlexIdBasedDatabaseAgent][getLastRecordId] Querying the database [jdbc:odbc:websense] to find out last id written

    [2013-06-18 16:57:12,412][INFO ][default.com.arcsight.agent.loadable.flexagent._FlexIdBasedDatabaseAgent][getConnection] Current password set as original one for [jdbc:odbc:websense]


  • Hi Chad,

    You have to go to Databases->System Databases->model->Security->Users, right click on the user you use to collect events and select in the section Database role memberschip the db_datareader role.

    Cristian

  • Thanks for this, it's been working great.  Do you know of a way to automatically add "db_datareader" to each partition as it is created?  Right now, logging breaks when a new partition is created, and then I have to manually go in and add the role.

  • Try changing the version line in the .properties file to the version of sql you are using.

    If you're on a connector appliance, don't forget to apply the correct jdbc driver for sql server.

  • I have tried using this file to pull websense logs  using id based flexconnector .After doing test database connection successfully ,it gives unable to detect database version while verifying database schema.

  • We don't use browse time.  However, looking at the views in the Websense database, it appears taht there is a view called "TREND_BROWSE_TIME" with columns Start_Date, LAST_START_TIME, BROWSE_TIME and USER_ID.

    I imagine that you could figure out a way to pull that into ArcSight, but it might have to be a separate connector.

  • Thanks Lora, the flex file it's working also on the latest version of Websense WSG 7.6

    Have you succeded in taking from the database also the browse time?

    Regards

    Cristian

Related
Recommended