You are here: Docs>Sheriff Web>UserGuides>SheriffCSMDocumentation>DeploymentGuide>PluginManagement>ConfigureLogForwardingOnCommonlyUsedDataSources>WebsenseWebSecurity7 (27 Jun 2022, SheriffCyberSecurity)Edit Attach
Up
Previous Next

Sheriff CSMâ„¢

Websense Web Security 7

When you configure Websense Web Security 7 to send log data to Sheriff CSM, you can use the websense7 plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin:

Plugin Information
DeviceDetails
Vendor Websense
Device Type Firewall
Connection Type Syslog
Data Source Name Websense7
Data Source ID 19005

Note: Websense Web Security 7 currently describes release versions 7.6 through 7.9. Another plugin named websense is available for integration with earlier versions of the Websense Web Security Gateway product. In addition, there is a triton plugin for versions of the Web Security Gateway product released after ForcePoint acquired Websense.

Integrating Websense Web Security 7

Each Websense Web Security policy server instance in your deployment must be configured to send log data to a Sheriff CSM Deputy over the Syslog protocol.

To configure Websense Web Security to send log data to Sheriff CSM

Note: Before using this page to enable Sheriff CSM integration, make sure that an instance of Websense Multiplexer is installed for each policy server in your environment.
  1. Go to Settings > General > SIEM Integration.

  2. Select Enable SIEM integration for this Policy Server to enable SIEM integration.

  3. Provide the IP address or hostname of the machine hosting Sheriff CSM, as well as the communication port to use for sending data.

  4. Specify the Transport protocol (UDP) to use when sending data to the SIEM product (Sheriff CSM).

  5. Select the SIEM format to use. This determines the syntax of the string used to pass log data to the integration.

    • The available formats are syslog/CEF (ArcSight), syslog/key-value pairs (Splunk and others), syslog/LEEF (QRadar), and Custom. Choose syslog/key-value pairs (Splunk and others).

      If you select a non-custom option, a sample Format string showing fields and value keys is displayed.

  6. Click OK to cache your changes. Changes are not implemented until you click Save and Deploy.

After you save your changes, Websense Multiplexer connects to the Filtering Service and takes over the job of distributing log data to both Log Server and the selected SIEM (Sheriff CSM) integration.

Note: Although the same data is passed from the WebSense Filtering Service to both Log Server and the SIEM product, Log Server may be configured to perform data reduction processing tasks, like recording visits instead of hits, or consolidating log records. Because the SIEM product does not perform these data reduction tasks, there may be more SIEM entries than records in the Log Database.

Plugin Enablement

For plugin enablement information, see Enable Plugins.

Additional Resources and Troubleshooting

For troubleshooting, see the vendor documentation.
Edit  | Attach | Print version | History: r8 < r7 < r6 < r5 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r8 - 27 Jun 2022, SheriffCyberSecurity
Copyright 2020 Sheriff Cyber Security, LLC. All rights reserved.