Using TestLogServer with Websense Web Filter

Article Number: 000001952
1952
Products: V-Series, Web Security and Filter, Web Security Gateway, Web Security Gateway Anywhere
Versions: 7.0, 7.1, 7.5, 7.6, 7.7

Problem Description

How do I use TestLogServer to evaluate and troubleshoot security policy issues?
 

Resolution

TestLogServer is a command-line utility that displays log traffic sent from Websense Filtering Service to Websense Log Server. You can easily identify Web filtering and/or logging issues by viewing this logging traffic.

  • The TestLogServer utility listens on port 55805, which is the same port used by Websense Log Server. If you start TestLogServer utility on the same machine with Log Server, while Log Server service is running, then you will receive a  Could not bind to port 55805 message as shown:
     
  • User-added image
  • Your options to avoid this error are:
    • Stop Log Server service. This resolution results in the loss of logging data while Log Service is stopped.
    • Allow TestLogServer to capture traffic on an alternate port. This resolution allows Web filtering to continue logging to your reporting database while running the TestLogServer utility. For details, see the How do I run TestLogServer without stopping the Log Server service? article.

 
 

For Websense v7.x and later on Windows:

 
A. Prepare your system to log to TestLogServer:

  • If Log Server and Filtering Service are on separate machines, then configure Filtering Service to log locally.
    1. In TRITON -Web Security, select Settings > General > Logging.
    2. Change the identity of the Log Server to 127.0.0.1.
    3. Click OK and Save ALL.
  • If Log Server and Filtering Service are on the same machine, then open Windows Services control panel and stop Websense Log Server.
    • NOTE: Logging to the Log Database will not occur while the Log Server service is stopped.

 
B. Run TestLogServer on the Filtering Service machine:

  1. Open a command prompt and navigate to the Websense bin folder.
    • On a Windows 2008 server, start the Command Prompt as an administrator. 
       
      User-added image
  2. To see log traffic, enter:
    1. TestLogServer
      1. This command dumps ALL logging traffic to the DOS screen. Logging data populates the command prompt window as outgoing requests are received.
  3. To log data to a text file, enter:
    1. TestLogServer -file logfile.txt
      1. This command log ALL data to the DOS screen while also writing the same data to the logfile.txt located in the Websense bin folder.
  4. To log data from a specific client, enter:
    1. TestLogServer -onlyip <IP address>
      1. Replace <IP address> with the client machine's IP address. This command populates the DOS window with data as outgoing requests are received from the specific client machine.
  5. To log traffic from a single client machine to a text file, enter:
    1. TestLogServer -onlyip <IP address> -file logfile.txt
      1. This command populates the DOS window and log file as outgoing requests are received from the specific client machine.
      2. Press Ctrl+C to stop TestLogServer.
      3. Review the logfile.txt in the Websense bin directory. Search the specific sites visited for further analysis.

        NOTE For easy analysis, TestLogServer is generally run by combining the previous two suggestions-- Receiving traffic from a single machine and logging data to a text file.
  6. If you configured the identity of Log Server to 127.0.0.1 (localhost) in TRITON -Web Security manager, change it back to the actual IP address of the external Log Server machine.
  7. Press Ctrl+C to stop TestLogServer.
  8. To resume logging to the reporting database, if necessary restart the Websense Log Server service.

 
 
For Websense v7.x and later on Linux:

 
NOTE: While the Websense Filtering Service component can be installed on either Windows or Linux platforms, Log Server is only supported on Windows. In the following instructions, Filtering Service is on a Linux machine. The compatible TestLogServer command on Linux is WebsenseTools -t.
  
 
A. Prepare your system to log to TestLogServer:

  • For Log Server and Filtering Service are on separate machines, configure Filtering Service to log locally.
    1. In TRITON -Web Security, select Settings > General > Logging.
    2. Change the identity of the Log Server to 127.0.0.1.
    3. Click OK and Save ALL.

 
B. Run TestLogServer on the Filtering Service machine:

  1. Open a terminal windows and navigate to the /opt/Websense directory.
  2. To see log traffic, enter:
    • ./WebsenseTools -t
      • This command dumps ALL logging traffic to the terminal window. Logging data populates the window as outgoing requests are received.
  3. To log the data to a text file, enter:
    • ./WebsenseTools -t -file log.txt
      • Logging data is written to a file called log.txt located in the /opt/Websense/bin directory.
  4. To log traffic from a single client machine, enter:
    • ./WebsenseTools -t -onlyip <IP address>
      • Replace <IP address> with the client machine's IP address. This command populates the window with data as outgoing requests are received from the specific client machine.
  5. To log traffic from a single client machine to a text file, enter:
    • ./WebsenseTools -t -onlyip <IP address> -file log.txt
      • This command populates the window and log file as outgoing requests are received from the specific client machine.
      • Press Ctrl+C to stop TestLogServer.
      • Review the log.txt in the /opt/Websense/bin directory. Search the specific sites visited for further analysis.

        NOTE For easy analysis, TestLogServer is generally run by combining the previous two suggestions-- Receiving traffic from a single machine and logging data to a text file.
  • If you configured the identity of Log Server to 127.0.0.1 (localhost) in TRITON -Web Security manager, change it back to the actual IP address of the external Log Server machine.
  • Press Ctrl+C to stop TestLogServer.

Notes & Warnings

For version 7.6, the default directory for 'new' installs is C:\Program Files\Websense\Web Security\ (32-bit machines) or C:\Program Files (x86)\Websense\Web Security\ (64 bit machines). The directory for upgrades to v7.6 is C:\Program Files\Websense\.
 
WARNING: 

  • NOTE
    • The following steps detail enabling the TestLogServer utility to collect of important diagnostic data. While collecting data, no traffic is logged to your Reporting Database.
    • The TestLogServer utility and Log Server require use of the same port. If TestLogServer is ran on the same machine as Log Server, then it is necessary to stop the Log Server service. If Log Server is not stopped, then the following error is seen:
      Could not bind to port 55805. (Is it already in use?)
    • After completing your diagnostics, restart Log Server to resume logging to your Reporting Database. If TestLogServer was ran on a separate machine from Log Server, then open Websense Manager and reset the Logging IP address back to the original IP.

 
 
Additional Information 
 
 
TestLogServer is one of several diagnostic utilities included as part of your Websense installation, and can be used to diagnose the following issues.

  • Incorrect filtering
  • Incorrect authentication
  • Incorrect policy application
  • Logging issues
  • Problems with URL categorization
  • Protocol identification

 
The following is a sample of traffic sent to the TestLogServer:

 
time= Sun Sep 18 17:04:48 2011   version= 5
server= 10.212.9.212  source= 10.212.9.212  dest= 174.76.227.94
URL=
http://www.microsoft.com
protocol= 1 - http  port= 80  networkDirection= Inbound
method=
contentType =
category= 9 - INFORMATION TECHNOLOGY
categoryReason= 0 - CatNone
disposition= 1026 - Category Not Blocked
roleId= 0
user= WinNT://TESTADW2K3/jsmith
bytes sent= 421  bytes received= 341
  duration= 142000 ms   scan duration= 0 ms
policyName=
 

 
The following data is displayed in TestLogServer:

  • time: exact time that the request was generated (from the Filtering Service machine).
  • server: IP address of the Filtering Service machine.
  • source: IP address of the requesting workstation. Use this information to verify that Filtering Service is seeing the correct traffic.
  • dest: IP address (destination) of the requested URL. Incorrect or missing data can indicate DNS issues (in which case filtering will not occur properly).
  • protocol: protocol (http, ftp, etc.) associated with the request. In the case of non-http filtering, this value can indicate whether or not Filtering Service is classifying protocols correctly.
  • url: destination URL for the request.
  • port: number of the port that the connection attempted to use.
  • category: Websense category of the requested URL. Determine if the category of this site is correct. If it is not, you may decide to submit it to the Websense database team for recategorization, or you might recategorize it yourself in Websense Manager as a custom URL.
  • disposition: how the request was handled by Filtering Service. Use this value to determine if Filtering Service blocked or permitted the site according to the filtering policy you applied.
  • keyword: indicates the keyword used to block a request
  • user: authenticated user name
  • bytes: displays bytes sent and bytes received. These values may indicate performance problems with Filtering Service.
  • Duration: The total time, in seconds, that it took to retrieve the HTML data and images from the actual site. This does not include time spent viewing the site once it has been completely loaded onto the user's machine.
    • This information is passed to Websense by the Integration. Certain integrations such as PIX does not currently have the ability to do this, so Network Agent is installed to pass Bytes Transferred and Duration.
  • Policy Name: The Policy name. This data may not be available in your Websense version.
     



To see a full listing options, type TestLogServer -help. The output follows:

  • C:\Program Files (x86)\Websense\Web Security\bin>TestLogServer -help
     
    TestLogServer version 7.6.0
     
    Usage: TestLogServer [-help] [-raw] [-noprettyprint] [-nopp] [-file filename]
                         [-port portNumber] [-forward addr:port] [-version1]
                         [-onlyip ip]  [-iprange start_ip end_ip]
     
    Options:
       -help               Display this help information
       -raw                Display raw received data
       -noprettyprint      Don't display formatted information
       -nopp               Same as -noprettyprint
       -file filename      Write received information into a file
       -port portNumber    Port to listen on
       -forward addr:port  Forward data to another log server at addr:port
       -version1           Force version 1 logging
       -onlyip             Only display records from this source address
       -iprange            Only display records from sources in this IP range

 
 

To not lose logging data while running TestLogServer, see the following article:

Article Rating:

Do you have any additional feedback?    close

How are we doing?

Provide us feedback on your experience with the Service Request portal.

provide feedback >