All Apps and Add-ons

Websense - Stripping LDAP OU, DC Strings from "User" Field

milesbrennan
Path Finder

We have some Websense proxy logs which are being parsed by the Splunk Add-on for Websense (https://splunkbase.splunk.com/app/2966/), however, the "user" field contains the complete LDAP string of Server, OUs, DCs, making it difficult to correlate against other indexes and user activity.

Example log event:

Sep 26 04:40:19 10.100.100.101 Sep 26 13:40:21 10.100.100.101 vendor=Websense product=Security product_version=7.8.3 action=permitted severity=1 category=101 user=LDAP://10.100.100.100 OU=People,OU=Sydney,OU=APAC,DC=ourcompany,DC=org/Fred Flinstone (Boss) src_host=10.10.10.10 src_port=0 dst_host=m.velocity.ebay.com dst_ip=66.211.187.41 dst_port=80 bytes_out=0 bytes_in=0 http_response=0 http_method=- http_content_type=- http_user_agent=- http_proxy_status_code=0 reason=- disposition=1026 policy=- role=0 duration=0 url=http://m.velocity.ebay.com/clink/6d2f83c8f1d4cb3ed6aeda50d3561e2cd

We are only getting the LDAP protocol and servername, due to the spaces in the user field:

user=LDAP://10.100.100.100

We need this:

user=LDAP://10.100.100.100 OU=People,OU=Sydney,OU=APAC,DC=ourcompany,DC=org/Fred Flinstone (Boss)

to be this:

user=Fred Flinstone (Boss)

This search works perfectly, but we need to make it permanent at index time:

index=proxy sourcetype=websense:cg:kv | rex "user=.*DC=.*\/(?<user>.*?)\s+src_host"

We've also updated the props and transforms to make this permanent, however it does not extract the values from the user field.

props.conf

TRANSFORMS-get_usernames = get_usernames 

transforms.conf

[get_usernames]
REGEX = user=.*DC=.*\/(.*?)\s+src_host
FORMAT = user::$1

I've tried a few similar Websense suggestions from the Answers site, however, they've haven't produced the results we need.

0 Karma
1 Solution

milesbrennan
Path Finder

Turns out this was a simple little fix in the props.conf:

We changed:
TRANSFORMS-get_usernames = get_usernames

To:
REPORT-get_usernames = get_usernames

View solution in original post

0 Karma

milesbrennan
Path Finder

Turns out this was a simple little fix in the props.conf:

We changed:
TRANSFORMS-get_usernames = get_usernames

To:
REPORT-get_usernames = get_usernames

0 Karma

knicholson0
Engager

@milesbrennan have you noticed truncated logs after updating props.conf and transforms.conf as described here?

0 Karma

milesbrennan
Path Finder

Not in our situation. Check your props.conf for "TRUNCATE=" value.

0 Karma

knicholson0
Engager

Thanks! I should have started my search here instead of Websense TSG 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...