Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Web Security Server Administration > Integrating with a third-party SIEM solution
Integrating with a third-party SIEM solution
Web Security Help | Web Security Solutions | Version 7.8.x
Use the Settings > General > SIEM Integration page to configure Websense software to send log data from Filtering Service to a supported Security Information and Event Management (SIEM) solution.
Before using this page to enable SIEM integration, make sure an instance of Websense Multiplexer is installed for each Policy Server in your deployment.
Perform these steps for each Policy Server instance in your deployment.
1.
Select Enable SIEM integration for this Policy Server to turn on the SIEM integration feature.
2.
Provide the IP address or hostname of the machine hosting the SIEM product, as well as the communication Port to use for sending SIEM data.
3.
Specify the Transport protocol (UDP or TCP) to use when sending data to the SIEM product.
4.
Select the SIEM format to use. This determines the syntax of the string used to pass log data to the integration.
*
*
If you select Custom, a text box is displayed. Enter or paste the string that you want to use. Click View SIEM format strings for a set of sample strings to use as a reference or template.
*
If you select a non-custom option, a sample Format string showing fields and value keys is displayed.
5.
Click OK to cache your changes. Changes are not implemented until you click Save and Deploy.
When you save your changes, Websense Multiplexer connects to Filtering Service and takes over the job of distributing log data to both Log Server and the selected SIEM integration.
Note that although the same data is passed from Filtering Service to both Log Server and the SIEM product, Log Server may be configured to perform data reduction processing tasks (like recording visits instead of hits, or consolidating log records). Because the SIEM product does not perform these data reduction tasks, there may be more SIEM entries than records in the Log Database.
IPV6 support is available for SIEM and the Websense Multiplexer beginning with 7.8.4.
For more detailed information about the data passed to the SIEM integration, see Integrating Web Security with third-party SIEM products. Subsections of the linked document provide mapping information for category numbers, disposition codes, reason strings, and other information included in the SIEM output.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Web Security Server Administration > Integrating with a third-party SIEM solution
Copyright 2016 Forcepoint LLC. All rights reserved.