Not getting username in Websense proxy logs
Hi, I am unable to capture username field in Websense proxy logs. The logs are being captured through the syslog setup. The username field is showing as "-" in most of the logs. Some of the logs do populated the username field correctly but more than 90% logs are showing "-".
This setup used to work perfectly and we are unable to identify any issue on Wensense proxy side as the logs are generating correctly on the proxy.
From the last time I connected Forcepoint/Websense proxy the username was available in regular username or as LDAP CN
This is probably an issue with Websense syslog and not related to ArcSight so you should contact Websense support
Just to be sure you view the syslog in Wireshark to be sure the username doesnt appear there
The logs for my websense proxy by default show the username as LDAP CN. This has been same since the start do i don't think the issue is there. I was receiving the proper logs some time back but the username stopped showing up in the logs of a sudden. However, some of the username do show up in the logs but its like 10% of the total logs.
1) ArcSight Connectors Documentation:
2) Please let me know which SmartConnector are you using from above link for your use case ?
3) Is this supported by some Out-Of-The-Box SmartConnector noted under item 1) (for example it is stated in the guide and version that you have matches) ?
4) It is important that Product/Events are supported by Out-Of-The-Box SmartConnector (that it is noted in guide) as only then you can expect correct parsing/mapping of data from Syslog event to ArcSight fields.
thank you for the input, this explains why it is not on the list of SmartConnectors.
Seems that I am back in office after short Christmas break but my brain is still on vacation 🙂
According to latest input from David that Websense is CEF this simplifies troubleshooting:
a) enable RAW event on SmartConnector
b) wait for events to populate for example ESM Active Channel
c) check which fields are populated
d) open RAW event
e) compare it to CEF standard:
f) from RAW events you will see "CEF Key Name" and according to that it is mapped to ArcSight Field
I am using the syslog daemon NG for this connector. The issue here is that i have received the correct logs since a long time but they stopped coming all of the a sudden. So, I don't think it is a matter of out of the box support!
the question here is are you getting the information in RAW event ? I mean if the information does not come, how should SmartConnector map it ?
This all looks like issue on source (information does not come via RAW event) as CEF is just mapping the values to assigned ArcSight Fields.