All Apps and Add-ons

Websense - Stripping LDAP OU, DC Strings from "User" Field

milesbrennan
Path Finder

We have some Websense proxy logs which are being parsed by the Splunk Add-on for Websense (https://splunkbase.splunk.com/app/2966/), however, the "user" field contains the complete LDAP string of Server, OUs, DCs, making it difficult to correlate against other indexes and user activity.

Example log event:

Sep 26 04:40:19 10.100.100.101 Sep 26 13:40:21 10.100.100.101 vendor=Websense product=Security product_version=7.8.3 action=permitted severity=1 category=101 user=LDAP://10.100.100.100 OU=People,OU=Sydney,OU=APAC,DC=ourcompany,DC=org/Fred Flinstone (Boss) src_host=10.10.10.10 src_port=0 dst_host=m.velocity.ebay.com dst_ip=66.211.187.41 dst_port=80 bytes_out=0 bytes_in=0 http_response=0 http_method=- http_content_type=- http_user_agent=- http_proxy_status_code=0 reason=- disposition=1026 policy=- role=0 duration=0 url=http://m.velocity.ebay.com/clink/6d2f83c8f1d4cb3ed6aeda50d3561e2cd

We are only getting the LDAP protocol and servername, due to the spaces in the user field:

user=LDAP://10.100.100.100

We need this:

user=LDAP://10.100.100.100 OU=People,OU=Sydney,OU=APAC,DC=ourcompany,DC=org/Fred Flinstone (Boss)

to be this:

user=Fred Flinstone (Boss)

This search works perfectly, but we need to make it permanent at index time:

index=proxy sourcetype=websense:cg:kv | rex "user=.*DC=.*\/(?<user>.*?)\s+src_host"

We've also updated the props and transforms to make this permanent, however it does not extract the values from the user field.

props.conf

TRANSFORMS-get_usernames = get_usernames 

transforms.conf

[get_usernames]
REGEX = user=.*DC=.*\/(.*?)\s+src_host
FORMAT = user::$1

I've tried a few similar Websense suggestions from the Answers site, however, they've haven't produced the results we need.

0 Karma
1 Solution

milesbrennan
Path Finder

Turns out this was a simple little fix in the props.conf:

We changed:
TRANSFORMS-get_usernames = get_usernames

To:
REPORT-get_usernames = get_usernames

View solution in original post

0 Karma

milesbrennan
Path Finder

Turns out this was a simple little fix in the props.conf:

We changed:
TRANSFORMS-get_usernames = get_usernames

To:
REPORT-get_usernames = get_usernames

0 Karma

knicholson0
Engager

@milesbrennan have you noticed truncated logs after updating props.conf and transforms.conf as described here?

0 Karma

milesbrennan
Path Finder

Not in our situation. Check your props.conf for "TRUNCATE=" value.

0 Karma

knicholson0
Engager

Thanks! I should have started my search here instead of Websense TSG 🙂

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...