Configuring Log Server

Web Security Help | Web Security Solutions | Version 7.8.x

During installation, you configure certain aspects of Log Server operation, including how Log Server interacts with policy enforcement components. Use the Settings > Reporting > Log Server page to update these settings, or to configure other details about Log Server operation.

When you finish your configuration updates, click OK to cache your changes. Changes are not saved until you click Save and Deploy.

If you make changes to the database connection, after saving and deploying the changes, also restart the Websense TRITON - Web Security service on the management server machine to update the database connection for all reporting tools.

In multiple Log Server environments, the settings configured on this page apply to the Log Server instance assigned to the Policy Server whose IP address appears on the Web Security toolbar.


	Note The Settings > Reporting > Log Server page replaces the Log Server Configuration Utility, which was used to perform these tasks in previous versions.

Verify basic Log Server details

Under Location, verify the Log Server IP address. If necessary, use the Port field to update the port over which Log Server communicates with Filtering Service (55805, by default).

This port must match the logging port displayed on the Settings > General > Logging page.

Configure the Log Database connection

Under Log Database Connection, configure the ODBC connection that Log Server uses to connect to the Log Database.

Specify the ODBC Data source name (DSN) and enter a unique Description for the database connection.

Provide the SQL Server location (IP address or hostname and instance name, if applicable) for the Microsoft SQL Server installation that hosts the Log Database, as well as the Connection port for sending data to the Log Database (1433, by default).

If your environment uses SQL Server clustering, enter the virtual IP address for the cluster.

Enter the name of the Default database (wslogdb70, by default).

Indicate whether or not to Use SSL to connect to the Log Database. When SSL encryption is enabled:

BCP cannot be used to add records to the Log Database.

Log Database connections are slower, affecting reporting performance.


	Important When Microsoft SQL Server components are configured so that "Trust Server Certificate" is set to No (the default), self-signed SSL certificates are not accepted for encryption of database connections. In this case, SSL certificates signed by a Certificate Authority must be properly deployed to the SQL Server, TRITON management server, and Log Server machines before you enable the "Use SSL" option in the Web Security manager. See your SQL Server documentation for information about database encryption.

Specify a Log Server connection method:

By default, SQL Server authentication is selected. To use SQL Server authentication, provide the SQL Server Account and Password to use.

Alternatively, you can use a Windows trusted connect (network logon account). The Websense Log Server service must be configured to run as this account.

Click Test Connection to verify that it is possible to connect to the Log Database using the credentials provided.

For information about the tests performed when you click the button, see Testing the Log Database connection.

Specify how log records are processed into the database

Click Log Record Creation to specify how Log Server adds records to the Log Database.

ODBC (Open Database Connectivity) inserts records into the database individually, using a database driver to manage data between Log Server and Log Database.

If you select this option, also set the Maximum number of connections to specify how many internal connections can be made between Log Server and the database engine.

Select a value between 4 and 50, as appropriate for your SQL Server license.


	Note Increasing the number of connections can increase processing speed for log records, but could impact other processes in the network that use the same SQL Server. In most cases, you should set the number of connections to fewer than 20. Contact your Database Administrator for assistance.

BCP (Bulk Copy Program) (recommended) inserts records into the Log Database in batches. This option offers better efficiency than ODBC insertion, and is selected by default if the bcp.exe file is found on the machine.

The BCP option is available only if you install the SQL Server Native Client and Command Line Utilities on the Log Server machine.

BCP cannot be used when SQL Server SSL encryption is used.

If you select the BCP option, also specify:


Option	Description
BCP file location	Directory path for storing BCP files. Log Server must have read and write access to the location. (The default folder is C:\Program Files or Program Files (x86)\Websense\Web Security\bin\Cache\BCP\.) After entering the path, click Test Location to verify that the location is accessible.
File creation rate	Maximum number of minutes Log Server spends placing records into a batch file before closing that batch file and creating a new one. This setting works in combination with the batch size setting: Log Server creates a new batch file as soon as either limit is reached.
Maximum batch size	Maximum number of log records before a new batch file is created. This setting works in combination with the creation rate setting: Log Server creates a new batch file as soon as either limit is reached.

After selecting a log record insertion method, click Log Cache Files to specify where and how log cache files are created. These provide temporary storage for log records that have not yet been processed into the Log Database or moved to BCP files.

For Cache location, indicate where on the Log Server machine logging cache files are stored (C:\Program Files or Program Files (x86)\Websense\Web Security\bin\Cache\, by default).

Click Test Location to verify that the path is accessible.

For Cache file creation rate, indicate the maximum number of minutes (1, by default) Log Server should spend sending Internet access information to a log cache file before closing it and creating a new file.

For Maximum cache file size, specify how large a log cache file should be before Log Server closes it and creates a new one.

The file creation rate and maximum file size settings work in combination: Log Server creates a new log cache file as soon as either limit is reached.

Adjust database sizing settings

Configure Database Size Management settings to meet your organization's needs. The higher the level of detail recorded, the larger the Log Database.

To minimize the size of the Log Database, mark Enable log record consolidation. This combines multiple, similar Internet requests into a single log record, reducing the granularity of reporting data.

If you have enable SIEM integration, note that Log Server applies consolidation to the log records that it processes into the Log Database. Consolidation does not occur for records passed to the SIEM product.

When consolidation is enabled, requests that share all of the following elements are combined into a single log record:

Domain name (for example: www.websense.com)

Category

Keyword

Action (for example: Category Blocked)

User/IP address

The log record includes the number of requests combined into the consolidated record, as well as the total bandwidth for all of the consolidated requests.

Reports run faster when the Log Database is smaller. However, consolidation may decrease the accuracy of some detail reports, as separate records for the same domain name may be lost.


	Important To assure consistent reports, create a new database partition whenever you enable or disable consolidation. Also, be sure to generate reports from partitions with the same consolidation setting.

With Websense Web Security Gateway (Anywhere), when consolidation is enabled, numbers shown in reports that include traffic blocked by scanning are lower than the numbers shown on scanning-specific reports. This is a side-effect of the way that scanning activity is recorded.

If you enable consolidation, also specify the Consolidation time interval. This represents the greatest allowable time difference between the earliest and latest records combined to make one consolidation record.

Decrease the interval to increase granularity for reporting. Increase the interval to maximize consolidation. Be aware that a larger interval can also increase usage of system resources, such as memory, CPU, and disk space.

If you enable full URL logging on the Settings > Reporting > Log Database page, consolidated log records contain the full path (up to 255 characters) of the first matching site Log Server encounters.

For example, suppose a user visited the following sites and all were categorized in the shopping category.

www.domain.com/shoeshopping

www.domain.com/purseshopping

www.domain.com/jewelryshopping

With full URL logging enabled, consolidation creates a single log entry showing 3 requests for the URL www.domain.com/shoeshopping.

Under Hits and Visits, use the Enable visits check box to indicate the level of granularity recorded for each user Internet request.


	Note It is best to create a new database partition prior to changing the method of logging between visits and hits. See the Settings > Reporting > Log Database page to create a new database partition.

When this option is not selected, a separate log record is created for each HTTP request generated to display different page elements, including graphics, advertisements, embedded videos, and so on. Also known as logging hits, this creates a much larger Log Database that grows rapidly.

When this option is selected, Log Server combines the individual elements that create the web page (such as graphics and advertisements) into a single log record that includes bandwidth information for all elements of the visit.

With Websense Web Security Gateway (Anywhere), when visits are enabled, numbers shown in reports that include traffic blocked by scanning are lower than the numbers shown on scanning-specific reports. This is a side-effect of the way that scanning activity is recorded.

Configure User Service communication

Click the User Service Connection button, then use the User and group update interval field to indicate how often Log Server connects to User Service to retrieve full user name and group assignment information (ever 12 hours, by default).

Activity for a user whose user name or group information has changed continues to be reported with the original user name or group assignment until the next update occurs. Organizations that update their directory service frequently or have a large number of users should consider updating the user/group information more frequently.