Documentation Center
AlienVault® USM Appliance™

Websense Web Security 7

When you configure Websense Web Security 7 to send log data to USM Appliance, you can use the websense7 plugin to translate the raw log data into normalized events for analysis.

Device Details
Vendor Websense
Device Type Firewall
Connection Type Syslog
Data Source Name Websense7
Data Source ID 19005

Note: Websense Web Security 7 currently describes release versions 7.6 through 7.9. Another plugin named websense is available for integration with earlier versions of the Websense Web Security Gateway product. In addition, there is a triton plugin for versions of the Web Security Gateway product released after ForcePoint acquired Websense.

Integrating Websense Web Security 7

Each Websense Web Security policy server instance in your deployment must be configured to send log data to a USM Appliance Sensor over the Syslog protocol.

To configure Websense Web Security to send log data to USM Appliance

Note: Before using this page to enable USM Appliance integration, make sure that an instance of Websense Multiplexer is installed for each policy server in your environment.

  1. Go to Settings > General > SIEM Integration.
  2. Select Enable SIEM integration for this Policy Server to enable SIEM integration.
  3. Provide the IP address or hostname of the machine hosting USM Appliance, as well as the communication port to use for sending data.
  4. Specify the Transport protocol (UDP) to use when sending data to the SIEM product (USM Appliance).
  5. Select the SIEM format to use. This determines the syntax of the string used to pass log data to the integration.
    • The available formats are syslog/CEF (ArcSight), syslog/key-value pairs (Splunk and others), syslog/LEEF (QRadar), and Custom. Choose syslog/key-value pairs (Splunk and others).

      If you select a non-custom option, a sample Format string showing fields and value keys is displayed.

  6. Click OK to cache your changes. Changes are not implemented until you click Save and Deploy.

After you save your changes, Websense Multiplexer connects to the Filtering Service and takes over the job of distributing log data to both Log Server and the selected SIEM (USM Appliance) integration.

Note: Although the same data is passed from the WebSense Filtering Service to both Log Server and the SIEM product, Log Server may be configured to perform data reduction processing tasks, like recording visits instead of hits, or consolidating log records. Because the SIEM product does not perform these data reduction tasks, there may be more SIEM entries than records in the Log Database.

Plugin Enablement

For plugin enablement information, see Enable Plugins.

Additional Resources and Troubleshooting

For troubleshooting, see the vendor documentation.