Skip to content

Vendor - Forcepoint

Product - Webprotect (Websense)

Ref Link
Splunk Add-on https://splunkbase.splunk.com/app/2966/
Product Manual http://www.websense.com/content/support/library/web/v85/siem/siem.pdf

Sourcetypes

sourcetype notes
websense:cg:kv None

Sourcetype and Index Configuration

key sourcetype index notes
forcepoint_webprotect websense:cg:kv netproxy none

Filter type

MSG Parse: This filter parses message content

Setup and Configuration

  • Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer.
  • Review and update the splunk_metadata.csv file and set the index and sourcetype as required for the data source.
  • Refer to the admin manual for specific details of configuration to send Reliable syslog using RFC 3195 format, a typical logging configuration will include the following features.

Options

Variable default description
SC4S_LISTEN_FORCEPOINT_WEBPROTECT_TCP_PORT empty string Enable a TCP port for this specific vendor product using a comma-separated list of port numbers
SC4S_LISTEN_FORCEPOINT_WEBPROTECT_UDP_PORT empty string Enable a UDP port for this specific vendor product using a comma-separated list of port numbers
SC4S_ARCHIVE_FORCEPOINT_WEBPROTECT no Enable archive to disk for this specific source
SC4S_DEST_FORCEPOINT_WEBPROTECT_HEC no When Splunk HEC is disabled globally set to yes to enable this specific source

Verification

An active proxy will generate frequent events, in addition WebProtect has the ability to test logging functionality using a built in command

index=<asconfigured> sourcetype=websense:cg:kv