All Apps and Add-ons

Websense - Stripping LDAP OU, DC Strings from "User" Field

milesbrennan
Path Finder

We have some Websense proxy logs which are being parsed by the Splunk Add-on for Websense (https://splunkbase.splunk.com/app/2966/), however, the "user" field contains the complete LDAP string of Server, OUs, DCs, making it difficult to correlate against other indexes and user activity.

Example log event:

Sep 26 04:40:19 10.100.100.101 Sep 26 13:40:21 10.100.100.101 vendor=Websense product=Security product_version=7.8.3 action=permitted severity=1 category=101 user=LDAP://10.100.100.100 OU=People,OU=Sydney,OU=APAC,DC=ourcompany,DC=org/Fred Flinstone (Boss) src_host=10.10.10.10 src_port=0 dst_host=m.velocity.ebay.com dst_ip=66.211.187.41 dst_port=80 bytes_out=0 bytes_in=0 http_response=0 http_method=- http_content_type=- http_user_agent=- http_proxy_status_code=0 reason=- disposition=1026 policy=- role=0 duration=0 url=http://m.velocity.ebay.com/clink/6d2f83c8f1d4cb3ed6aeda50d3561e2cd

We are only getting the LDAP protocol and servername, due to the spaces in the user field:

user=LDAP://10.100.100.100

We need this:

user=LDAP://10.100.100.100 OU=People,OU=Sydney,OU=APAC,DC=ourcompany,DC=org/Fred Flinstone (Boss)

to be this:

user=Fred Flinstone (Boss)

This search works perfectly, but we need to make it permanent at index time:

index=proxy sourcetype=websense:cg:kv | rex "user=.*DC=.*\/(?<user>.*?)\s+src_host"

We've also updated the props and transforms to make this permanent, however it does not extract the values from the user field.

props.conf

TRANSFORMS-get_usernames = get_usernames 

transforms.conf

[get_usernames]
REGEX = user=.*DC=.*\/(.*?)\s+src_host
FORMAT = user::$1

I've tried a few similar Websense suggestions from the Answers site, however, they've haven't produced the results we need.

0 Karma
1 Solution

milesbrennan
Path Finder

Turns out this was a simple little fix in the props.conf:

We changed:
TRANSFORMS-get_usernames = get_usernames

To:
REPORT-get_usernames = get_usernames

View solution in original post

0 Karma

milesbrennan
Path Finder

Turns out this was a simple little fix in the props.conf:

We changed:
TRANSFORMS-get_usernames = get_usernames

To:
REPORT-get_usernames = get_usernames

0 Karma

knicholson0
Engager

@milesbrennan have you noticed truncated logs after updating props.conf and transforms.conf as described here?

0 Karma

milesbrennan
Path Finder

Not in our situation. Check your props.conf for "TRUNCATE=" value.

0 Karma

knicholson0
Engager

Thanks! I should have started my search here instead of Websense TSG 🙂

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...