Internet activity log records

Topic 50102 / Updated: 24-Jun-2010

Applies To:

Websense Web Filter 7.5 Websense Web Security 7.5

A command-line utility called TestLogServer is included as part of your Websense Web Security installation. This utility displays log traffic sent from Websense Filtering Service to Websense Log Server.

Use TestLogServer to verify that logging data is being sent to Log Server as expected, and to diagnose problems with:

Filtering and policy application

Authentication

Logging

URL categorization and protocol identification

TestLogServer output looks like this:

time=Fri Jul 30 09:15:41 2004 version=3 server=10.1.1.1 source=127.0.0.1 dest=199.181.132.250 protocol= "http" url= "http://espn.com/" port= "80" category= 18 (SPORTS) disposition= 1026 (CATEGORY NOT BLOCKED) app type= "" keyword= "" user= "" bytes sent=331 bytes received=146 duration=0

The information shown includes:

time: exact time that the request was generated, as provided by the Filtering Service machine

server: IP address of the Filtering Service machine

source: IP address from which the request originated. This can be used to verify that Filtering Service is seeing traffic from specific machines.

dest: IP address of the requested (target) URL. Incorrect or missing data can indicate DNS issues, which prevent proper filtering.

protocol: protocol (for example, HTTP, FTP) associated with the request. In the case of non-HTTP filtering, this value can indicate whether or not Filtering Service is classifying protocols correctly.

url: requested (target) URL

port: port number the connection attempted to use

category: Master Database or custom category assigned to the requested URL

disposition: action applied to the request by Filtering Service

keyword: the keyword, if any, used to block a request

user: authenticated user name

bytes: number of bytes sent and received

Run TestLogServer

In order to screen log traffic with TestLogServer without interrupting the flow of log records to Log Server, first launch the utility using parameters that forward all traffic to Log Server, then use TRITON - Web Security to configure Filtering Service to pass log traffic to TestLogServer.

1.	On Log Server machine, open a command prompt (Start > Run > cmd) and navigate to the Websense bin directory (C:\Program Files\Websense\bin, by default).

2.	Start the TestLogServer utility with the following parameters:

testlogserver -port 5555 -forward <IP address>:55805

Provide the IP address of the Log Server machine. If port 5555 is in use, you can use any available port.

If you are running TestLogServer in a production environment at a time of normal or higher traffic loads, you may want to use one or both of the following additional parameters:

-file <filename.txt>

-onlyip <IP address>

The first parameter allows you to redirect traffic to a file for review, rather than having it scroll rapidly across the console. The file is created by default in the Websense bin directory.

The second parameter allows you to monitor traffic only from the IP address specified.

The utility will launch, but no traffic will appear. Now you can redirect traffic to TestLogServer.

3.	In TRITON - Web Security, navigate to the Settings > General > Logging page.

4.	Make sure that the Log Server IP address is correct. This should be the actual IP address of the Log Server machine, and not the loopback address (127.0.0.1), even if Log Server and TRITON - Web Security are installed on the same machine.

5.	Change the port to 5555.

6.	Click Check Status to verify the connection to TestLogServer.

7.	Click OK and then Save All.

8.	If you are in a test environment, or performing this test at a low-traffic period, generate traffic from specific machines while monitoring TestLogServer to verify that the traffic appears.

If you are using the tool in a production environment while normal traffic flow is occurring, and the data is coming too rapidly to process, review step 2 for options for redirecting output or capturing traffic only for a specific machine.

9.	When you are finished, first return to the Settings > General > Logging screen in TRITON - Web Security, and change the logging port back to its original value (55805, by default). Remember to click OK and Save All to cache and then implement your change.

At this point, traffic is sent directly to Log Server and stops appearing in TestLogServer.

10.	In the command window where TestLogServer is running, press Ctrl+C to stop the utility.