Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Reporting Administration > Configuring Log Server
Configuring Log Server
Administrator Help | Forcepoint Web Security and Forcepoint URL Filtering | v8.5.x
During installation, you configure certain aspects of Log Server operation, including how Log Server interacts with policy enforcement components. Use the Settings > Reporting > Log Server page to update these settings, or to configure other details about Log Server operation.
When you finish your configuration updates, click OK to cache your changes. Changes are not saved until you click Save and Deploy.
If you make changes to the database connection, after saving and deploying the changes, also restart the Websense TRITON - Web Security service on the management server machine to update the database connection for all reporting tools.
In multiple Log Server environments, the settings configured on this page apply to the Log Server instance assigned to the Policy Server whose IP address appears on the Web Security toolbar.
Verify basic Log Server details
Under Location, verify the Log Server IP address. If necessary, use the Port field to update the port over which Log Server communicates with Filtering Service (55805, by default).
This port must match the logging port displayed on the Settings > General > Logging page.
Configure the Log Database connection
Under Log Database Connection, configure the ODBC connection that Log Server uses to connect to the Log Database.
1.
Specify the ODBC Data source name (DSN) and enter a unique Description for the database connection.
2.
Provide the SQL Server location (IP address or hostname and instance name, if applicable) for the Microsoft SQL Server installation that hosts the Log Database, as well as the Connection port for sending data to the Log Database (1433, by default).
 
Note 
3.
4.
Enter the name of the Default database (wslogdb70, by default).
5.
Indicate whether or not to Use SSL to connect to the Log Database. When SSL encryption is enabled:
*
*
 
Important 
When Microsoft SQL Server components are configured so that "Trust Server Certificate" is set to No (the default), self-signed SSL certificates are not accepted for encryption of database connections.
6.
*
By default, SQL Server authentication is selected. To use SQL Server authentication, provide the SQL Server Account and Password to use.
*
Alternatively, you can use a Windows trusted connection (network logon account). The Websense Log Server service must be configured to run as this account.
7.
Click Test Connection to verify that it is possible to connect to the Log Database using the credentials provided.
For information about the tests performed when you click the button, see Testing the Log Database connection.
If you make changes to the database connection, after saving and deploying the changes, also restart the Websense TRITON - Web Security service on the management server machine to update the database connection for all reporting tools.
Specify how log records are processed into the database
Click Log Record Creation to specify how Log Server adds records to the Log Database.
*
ODBC (Open Database Connectivity) inserts records into the database individually, using a database driver to manage data between Log Server and Log Database.
If you select this option, also set the Maximum number of connections to specify how many internal connections can be made between Log Server and the database engine.
Select a value between 4 and 50, as appropriate for your SQL Server license.
 
Note 
*
BCP (Bulk Copy Program) (recommended) inserts records into the Log Database in batches. This option offers better efficiency than ODBC insertion, and is selected by default if the bcp.exe file is found on the machine.
The BCP option is available only if you install the SQL Server Native Client and Command Line Utilities on the Log Server machine. To allow the BCP option to be available by default, when Log Server is installed on a machine, the SQL tools are installed also.
BCP cannot be used when SQL Server SSL encryption is used.
If you select the BCP option, also specify:
After entering the path, click Test Location to verify that the location is accessible.
After selecting a log record insertion method, click Log Cache Files to specify where and how log cache files are created. These provide temporary storage for log records that have not yet been processed into the Log Database or moved to BCP files.
1.
For Cache location, indicate where on the Log Server machine logging cache files are stored (C:\Program Files\Websense\Web Security\bin\Cache\, by default).
2.
Click Test Location to verify that the path is accessible.
3.
For Cache file creation rate, indicate the maximum number of minutes (1, by default) Log Server should spend sending Internet access information to a log cache file before closing it and creating a new file.
4.
For Maximum cache file size, specify how large a log cache file should be before Log Server closes it and creates a new one.
The file creation rate and maximum file size settings work in combination: Log Server creates a new log cache file as soon as either limit is reached.
Adjust database sizing settings
Configure Database Size Management settings to meet your organization's needs. The higher the level of detail recorded, the larger the Log Database.
1.
To minimize the size of the Log Database, mark Enable log record consolidation. This combines multiple, similar Internet requests into a single log record, reducing the granularity of reporting data.
If you have enabled SIEM integration, note that Log Server applies consolidation to the log records that it processes into the Log Database. Consolidation does not occur for records passed to the SIEM product.
When consolidation is enabled, requests that share all of the following elements are combined into a single log record:
*
*
*
*
*
The log record includes the number of requests combined into the consolidated record, as well as the total bandwidth for all of the consolidated requests.
Reports run faster when the Log Database is smaller. However, consolidation may decrease the accuracy of some detail reports, as separate records for the same domain name may be lost.
 
Important 
With Forcepoint Web Security, when consolidation is enabled, numbers shown in reports that include traffic blocked by scanning are lower than the numbers shown on reports about Content Gateway analysis. This is a side-effect of the way that analytic activity is recorded.
2.
If you enable consolidation, also specify the Consolidation time interval. This represents the greatest allowable time difference between the earliest and latest records combined to make one consolidation record.
Decrease the interval to increase granularity for reporting. Increase the interval to maximize consolidation. Be aware that a larger interval can also increase usage of system resources, such as memory, CPU, and disk space.
If you enable full URL logging on the Settings > Reporting > Log Database page, consolidated log records contain the full path (up to 255 characters) of the first matching site Log Server encounters.
For example, suppose a user visited the following sites and all were categorized in the shopping category.
*
*
*
With full URL logging enabled, consolidation creates a single log entry showing 3 requests for the URL www.domain.com/shoeshopping.
3.
Under Hits and Visits, use the Enable visits check box to indicate the level of granularity recorded for each user Internet request.
 
Note 
When this option is not selected, a separate log record is created for each HTTP request generated to display different page elements, including graphics, advertisements, embedded videos, and so on. Also known as logging hits, this creates a much larger Log Database that grows rapidly.
When this option is selected, Log Server combines the individual elements that create the web page (such as graphics and advertisements) into a single log record that includes bandwidth information for all elements of the visit.
With Forcepoint Web Security, when visits are enabled, numbers shown in reports that include traffic blocked by real-time analysis are lower than the numbers shown on Content Gateway analysis-specific reports. This is a side-effect of the way that analytic activity is recorded.
Configure User Service communication
Click the User Service Connection button, then use the User and group update interval field to indicate how often Log Server connects to User Service to retrieve full user name and group assignment information (ever 12 hours, by default).
Activity for a user whose user name or group information has changed continues to be reported with the original user name or group assignment until the next update occurs. Organizations that update their directory service frequently or have a large number of users should consider updating the user/group information more frequently.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Reporting Administration > Configuring Log Server
Copyright 2018 Forcepoint. All rights reserved.