harv-qq
harv-qq
i can supply some redacted logs, but i'm not able to supply a pcap i'm afraid
some logs are as follows, so the index isnt matching on some as well index=lastchance sourcetype="websense:cg:kv"
fixed using compliance_meta_by_source filter filter f_forcepoint_audit { message('vendor=Forcepoint' type(string) flags(substring)) and message('logtype=Audit' type(string) flags(substring)) }; filter f_forcepoint_security { message('vendor=Forcepoint' type(string) flags(substring)) and message('product=Security' type(string) flags(substring)) }; filter f_forcepoint_web_access{ match("wcgextended" value("PROGRAM")...
Forcepoints default profile is: % % vendor=Forcepoint product=Security product_version=% action=% severity=% category=% user=% loginID=% src_host=% src_port=% dst_host=% dst_ip=% dst_port=% bytes_out=% bytes_in=% http_response=% http_method=% http_content_type=% http_user_agent=% http_proxy_status_code=% reason=% disposition=% policy=% role=%...
if we change the profile to % % vendor=Forcepoint product=Security product_version=% action=% severity=% category=% user=% loginID=% src_host=% src_port=% dst_host=% dst_ip=% dst_port=% bytes_out=% bytes_in=% http_response=% http_method=% http_content_type=% http_user_agent=% http_proxy_status_code=% reason=% disposition=%...
or %Y-%m-%dT%H:%M:%S.%f%z
example current format, that currently isnt picked up by the forcepoint_webprotect key: LOCAL3.DEBUG: Oct 03 14:37:55 10.*.*.* vendor=Forcepoint product=Security product_version=*.*.* action=permitted severity=1 category=2 user=* loginID=* src_host=10.*.*.* src_port=14430 dst_host=* dst_ip=*.*.*.* dst_port=443...
is there an update on this? What is the expected logging format that should be matched? We are running 2.30, i can see there is a possible fix for our...
is there an update on this?