Refine your search:

Websense App for Splunk

1 rating

Thanks For Downloading!

Review the documentation below and follow any custom installation steps. If no install steps are listed, most Splunk Apps and Add-ons can be installed as follows:

Windows: Decompress the downloaded file using a tool like 7-Zip and place the resulting folder into %PROGRAMFILES%\Splunk\etc\apps. Then restart Splunk using the splunk restart command or the GUI.

Unix/Linux: Decompress the downloaded file using a tool like tar -xvf and place the resulting folder into $SPLUNK_HOME/etc/apps. Then restart Splunk using the splunk restart command or the GUI.

Description

Remotely monitor and troubleshoot Websense Web Security (WWS).
Functionality includes traffic, user and security monitoring, as well as realtime filtering debugging.
This app only supports version 7.7.

Please join us on Trello https://trello.com/b/xpAB4qcs for feedback, requests and bug reports.

About Exponant

Exponant offers Splunk Professional Services worldwide:

  • Implementation and Management of Splunk for Large Customers.
  • Splunk App development.
  • Custom development of Splunk collectors to assist in Data Acquisition.

Versions and Release Notes

Version 2.1 (current version - updated Jan 10, 2013)
release notes:

- Updated to work with Splunk 5.x
- Drilldown support added to certain dashboards.

show older versions »
Version 2.0 (updated Aug 08, 2012)
release notes:

Setting up this app:
----------------------------------------
1. On Websense the multiplexer module must be installed and running.
2. In Triton Management interface goto setting->SIEM Integration.
3. Enter Splunk indexer address and listening port, select Transport protocol and select SIEM format: 'syslog/key-value pairs(Splunk and other)
4. Click ok and Save and deploy.
5. Create the receiving port in splunk.
6. Edit the props.conf and change source stanza to the configure receiving port.

Known issues:
----------------------------------------
Time picker on the dashboards display timerange 'Last 15 minutes'. This will not work.

Version 1.0 (updated Nov 18, 2011)

posted 18 Nov '11, 09:35

exponant's gravatar image

exponant
3211
accept rate: 0%

new version 10 Jan, 05:38

2 Reviews
2 reviews, 1 rating, average 5.00

Did you find this app useful?

oldestnewest

Very handy app... well done!!

comments (0)

reviewed 05 Oct '12, 04:04

denisevw's gravatar image

denisevw
1
accept rate: 0%

Reviews related to version 2.0 (current is 2.1)

Nice app, the dashboards are clean and leverage summary indexing to remain scalable even when a large amount of WebSense data has to be iterated through.

A few remarks :

  • The scripted input stanzas in websense_forwarder/default/inputs.conf reference an incorrect path and won't run without modification :
    [script://$SPLUNK_HOME\etc\apps\websense\bin\websense_ping.bat]
    ...should be :
    [script://$SPLUNK_HOME\etc\apps\websense_forwarder\bin\websense_ping.bat]

  • It would be nicer to package the websense_forwarder mini-app as a Technology Add-on rather than including it in the main app.

  • The LINE_BREAKER configuration for the websense-ss-ping and websense-ss-pingm1 sourcetypes in props.conf are not correct. To ensure that the output of each script run is indexed as a single event, I would rather recommend the following configuration : 
    SHOULD_LINEMERGE = false
LINE_BREAKER = ^()$
TRUNCATE = 1000000
DATETIME_CONFIG = CURRENT

  • The EXTRACT search-time field extractions in websense_forwarder/default/props.conf are unnecessary as they will never be used on a forwarder and should be removed.

  • It would be nice to document the different invocations of fill_summary_index.py that the user has to run in order to backfill the summary indexes that power some of the dashboards. Ideally, you could advertise the need to run these backfill commands on the dashboard itself so that the user understands why no data is displayed.

comments (1)

reviewed 29 Dec '11, 15:36

hexx's gravatar image

hexx ♦
14.5k91670
accept rate: 55%

edited 29 Dec '11, 15:43

how do you populate websense_summary? I see no graph data because I only have data in the websense index.

(12 Apr, 08:30) jfraiberg
Copyright © 2005-2012 Splunk Inc. All rights reserved.