Solved: Why is Splunk is not ingesting my Websense data?

dharveynswccd · ‎09-14-2018

So, I have a Websense server which I've configured to send logs to Splunk but nothing is being fed in.

I'm running Splunk on Linux.

I have verified that I've configured the input correctly by confirming that:

I configured the correct IP address of the Splunk platform node responsible for data collection in my Websense Content Gateway configuration.
The port that I configured in my Websense app is UDP 514.
My syslog input is configured to set the source type to websense:cg:kv.
I am searching the correct index, which is the main index.
The Siem Collector service is running on the Websense server

I had it working a few months ago and had to discontinue log collection due my daily ingestion limitation. Any ideas would be greatly appreciated. Thanks

harsmarvania57 · ‎09-14-2018

Ok, in this case your splunk instance is not listening on Port 514 because in linux only root user can occupy port from 0 to 1024.

As you are running splunk as "splunk" user you need to configure your splunk instance to listen on port greater than 1024 port and after that configure your websense to send data on that port.

View solution in original post

muralikoppula · ‎09-14-2018

@dharveynswccd
1. Use DNS not IP for data collection in Websense Content Gateway configuration.
2. Next check the firewall blocks
3. And also ensure you should use TCP for log export.

dharveynswccd · ‎09-18-2018

I have tried using DNS-No Joy there
No firewall blocks in place
All other systems are sending to Splunk over UDP successfully

harsmarvania57 · ‎09-14-2018

Ok, in this case your splunk instance is not listening on Port 514 because in linux only root user can occupy port from 0 to 1024.

As you are running splunk as "splunk" user you need to configure your splunk instance to listen on port greater than 1024 port and after that configure your websense to send data on that port.

dharveynswccd · ‎09-18-2018

I ran a sudo netstat -lnup | grep 514 #for udp and received the following output:

udp 0 0 0.0.0.0:514 0.0.0.0:* 1308/rsyslogd
udp6 0 0 :::514 :::* 1308/rsyslogd

Does this indicate that this server is listening on 514 and receives from 1308?

harsmarvania57 · ‎09-19-2018

This means that your server is listening on 514 port but you are running rsyslogd, 1308 is rsyslogd process number (PID).

As you are running rsyslogd, you need to configure your syslog server to filter Websense log and write it to separate log file and then configure your Universal Forwarder OR Heavy Forwarder whichever is running on this rsyslog server to read that logfile and ingest data into correct index.

dharveynswccd · ‎09-19-2018

@harsmarvania57, My syslog server and Forwarder already have the necessary configs to read the logs and ingest the data. The problem does seem to reside on the Websense side so I will have to address that there. Thanks

harsmarvania57 · ‎09-14-2018

Are you running Splunk on Windows or Linux? If you are running on Linux, are you running Splunk process as root user?

dharveynswccd · ‎09-14-2018

I am running Splunk on Linux and the splunk process is running as splunk

Why is Splunk is not ingesting my Websense data?

Announcing the Expansion of the Splunk Academic Alliance Program

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Buttercup Games: Further Dashboarding Techniques (Part 7)