Getting Data In

Why is Splunk is not ingesting my Websense data?

dharveynswccd
Path Finder

So, I have a Websense server which I've configured to send logs to Splunk but nothing is being fed in.

I'm running Splunk on Linux.

I have verified that I've configured the input correctly by confirming that:

  • I configured the correct IP address of the Splunk platform node responsible for data collection in my Websense Content Gateway configuration.

  • The port that I configured in my Websense app is UDP 514.

  • My syslog input is configured to set the source type to websense:cg:kv.

  • I am searching the correct index, which is the main index.

  • The Siem Collector service is running on the Websense server

I had it working a few months ago and had to discontinue log collection due my daily ingestion limitation. Any ideas would be greatly appreciated. Thanks

0 Karma
1 Solution

harsmarvania57
SplunkTrust
SplunkTrust

Ok, in this case your splunk instance is not listening on Port 514 because in linux only root user can occupy port from 0 to 1024.

As you are running splunk as "splunk" user you need to configure your splunk instance to listen on port greater than 1024 port and after that configure your websense to send data on that port.

View solution in original post

0 Karma

muralikoppula
Communicator

@dharveynswccd
1. Use DNS not IP for data collection in Websense Content Gateway configuration.
2. Next check the firewall blocks
3. And also ensure you should use TCP for log export.

0 Karma

dharveynswccd
Path Finder
  1. I have tried using DNS-No Joy there
  2. No firewall blocks in place
  3. All other systems are sending to Splunk over UDP successfully
0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Ok, in this case your splunk instance is not listening on Port 514 because in linux only root user can occupy port from 0 to 1024.

As you are running splunk as "splunk" user you need to configure your splunk instance to listen on port greater than 1024 port and after that configure your websense to send data on that port.

View solution in original post

0 Karma

dharveynswccd
Path Finder

I ran a sudo netstat -lnup | grep 514 #for udp and received the following output:

udp 0 0 0.0.0.0:514 0.0.0.0:* 1308/rsyslogd
udp6 0 0 :::514 :::* 1308/rsyslogd

Does this indicate that this server is listening on 514 and receives from 1308?

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

This means that your server is listening on 514 port but you are running rsyslogd, 1308 is rsyslogd process number (PID).

As you are running rsyslogd, you need to configure your syslog server to filter Websense log and write it to separate log file and then configure your Universal Forwarder OR Heavy Forwarder whichever is running on this rsyslog server to read that logfile and ingest data into correct index.

0 Karma

dharveynswccd
Path Finder

@harsmarvania57, My syslog server and Forwarder already have the necessary configs to read the logs and ingest the data. The problem does seem to reside on the Websense side so I will have to address that there. Thanks

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Are you running Splunk on Windows or Linux? If you are running on Linux, are you running Splunk process as root user?

0 Karma

dharveynswccd
Path Finder

I am running Splunk on Linux and the splunk process is running as splunk

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!