Highlighted
Contributor.
Contributor.
1284 views

Not getting username in Websense proxy logs

Hi, I am unable to capture username field in Websense proxy logs. The logs are being captured through the syslog setup. The username field is showing as "-" in most of the logs. Some of the logs do populated the username field correctly but more than 90% logs are showing "-".

This setup used to work perfectly and we are unable to identify any issue on Wensense proxy side as the logs are generating correctly on the proxy.

0 Likes
8 Replies
Highlighted
Outstanding Contributor.
Outstanding Contributor.

Hello

From the last time I connected Forcepoint/Websense proxy the username was available in regular username or as LDAP CN

This is probably an issue with Websense syslog and not related to ArcSight so you should contact Websense support

Just to be sure you view the syslog in Wireshark to be sure the username doesnt appear there

Best regards

David

0 Likes
Highlighted
Contributor.
Contributor.

Hi David,

The logs for my websense proxy by default show the username as LDAP CN. This has been same since the start do i don't think the issue is there. I was receiving the proper logs some time back but the username stopped showing up in the logs of a sudden. However, some of the username do show up in the logs but its like 10% of the total logs.

0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Hello,

1) ArcSight Connectors Documentation:
https://community.softwaregrp.com/t5/ArcSight-Connectors/tkb-p/connector-documentation

2) Please let me know which SmartConnector are you using from above link for your use case ?

3) Is this supported by some Out-Of-The-Box SmartConnector noted under item 1) (for example it is stated in the guide and version that you have matches) ?

4) It is important that Product/Events are supported by Out-Of-The-Box SmartConnector (that it is noted in guide) as only then you can expect correct parsing/mapping of data from Syslog event to ArcSight fields.

Regards,

Marijo

0 Likes
Highlighted
Outstanding Contributor.
Outstanding Contributor.

Hello Marijo

This product sends CEF 🙂

Best regards

David

0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

 

 

Hello David,

thank you for the input, this explains why it is not on the list of SmartConnectors.

Seems that I am back in office after short Christmas break but my brain is still on vacation 🙂

Regards,

Marijo

0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

According to latest input from David that Websense is CEF this simplifies troubleshooting:
a) enable RAW event on SmartConnector
b) wait for events to populate for example ESM Active Channel
c) check which fields are populated
d) open RAW event
e) compare it to CEF standard:
https://community.softwaregrp.com/t5/ArcSight-Connectors/ArcSight-Common-Event-Format-CEF-Guide/ta-p/1589306
f) from RAW events you will see "CEF Key Name" and according to that it is mapped to ArcSight Field

Regards,

Marijo

0 Likes
Highlighted
Contributor.
Contributor.

Hi Marijo,

I am using the syslog daemon NG for this connector. The issue here is that i have received the correct logs since a long time but they stopped coming all of the a sudden. So, I don't think it is a matter of out of the box support!

0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Hello,

the question here is are you getting the information in RAW event ? I mean if the information does not come, how should SmartConnector map it ?

This all looks like issue on source (information does not come via RAW event) as CEF is just mapping the values to assigned ArcSight Fields.

Regards,

Marijo

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.