Getting Data In

Why is Splunk is not ingesting my Websense data?

dharveynswccd
Path Finder

So, I have a Websense server which I've configured to send logs to Splunk but nothing is being fed in.

I'm running Splunk on Linux.

I have verified that I've configured the input correctly by confirming that:

  • I configured the correct IP address of the Splunk platform node responsible for data collection in my Websense Content Gateway configuration.

  • The port that I configured in my Websense app is UDP 514.

  • My syslog input is configured to set the source type to websense:cg:kv.

  • I am searching the correct index, which is the main index.

  • The Siem Collector service is running on the Websense server

I had it working a few months ago and had to discontinue log collection due my daily ingestion limitation. Any ideas would be greatly appreciated. Thanks

0 Karma
1 Solution

harsmarvania57
SplunkTrust
SplunkTrust

Ok, in this case your splunk instance is not listening on Port 514 because in linux only root user can occupy port from 0 to 1024.

As you are running splunk as "splunk" user you need to configure your splunk instance to listen on port greater than 1024 port and after that configure your websense to send data on that port.

View solution in original post

0 Karma

muralikoppula
Communicator

@dharveynswccd
1. Use DNS not IP for data collection in Websense Content Gateway configuration.
2. Next check the firewall blocks
3. And also ensure you should use TCP for log export.

0 Karma

dharveynswccd
Path Finder
  1. I have tried using DNS-No Joy there
  2. No firewall blocks in place
  3. All other systems are sending to Splunk over UDP successfully
0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Ok, in this case your splunk instance is not listening on Port 514 because in linux only root user can occupy port from 0 to 1024.

As you are running splunk as "splunk" user you need to configure your splunk instance to listen on port greater than 1024 port and after that configure your websense to send data on that port.

0 Karma

dharveynswccd
Path Finder

I ran a sudo netstat -lnup | grep 514 #for udp and received the following output:

udp 0 0 0.0.0.0:514 0.0.0.0:* 1308/rsyslogd
udp6 0 0 :::514 :::* 1308/rsyslogd

Does this indicate that this server is listening on 514 and receives from 1308?

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

This means that your server is listening on 514 port but you are running rsyslogd, 1308 is rsyslogd process number (PID).

As you are running rsyslogd, you need to configure your syslog server to filter Websense log and write it to separate log file and then configure your Universal Forwarder OR Heavy Forwarder whichever is running on this rsyslog server to read that logfile and ingest data into correct index.

0 Karma

dharveynswccd
Path Finder

@harsmarvania57, My syslog server and Forwarder already have the necessary configs to read the logs and ingest the data. The problem does seem to reside on the Websense side so I will have to address that there. Thanks

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Are you running Splunk on Windows or Linux? If you are running on Linux, are you running Splunk process as root user?

0 Karma

dharveynswccd
Path Finder

I am running Splunk on Linux and the splunk process is running as splunk

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...