Submit a ticketCall us

Have You Auto Renewed? If not, you're missing out.
The SolarWinds Renewal Program comes with a host of benefits including the most recent product updates, 24/7 technical support, virtual instructor-led training and more. Experience all of this with the convenience of Auto Renewal, and never worry about missing any of these great benefits. Learn More.

Home > Success Center > Log & Event Manager (LEM) > LEM Administrator's Guide > Configure LEM to monitor proxy servers for suspicious URL access

Configure LEM to monitor proxy servers for suspicious URL access

Updated: September 15, 2017

Monitor proxy servers to track network users who attempt to access suspicious websites using partial or complete URL addresses. Configure your proxy server to log to LEM and set up the appropriate connector on the SolarWinds LEM Manager.

Set your proxy server to log to a virtual appliance

Set your proxy server to log to LEM to centralize its log data with your LEM events. You can integrate proxy servers from popular vendors such as Websense and Barracuda.

Because the integration process is different for each vendor, each proxy server is documented separately in the SolarWinds Success Center. If a knowledge base article is not available, contact Customer Support.

Configure a proxy server connector on a LEM Manager

After you configure your proxy server to log to your LEM appliance, configure the corresponding connector on your LEM Manager. Many of the proxy server connectors are similar with some unique settings.

The following procedure describes how to set up a connector for a Websense proxy server. You can find instructions for additional firewall connectors in the SolarWinds knowledge base.

  1. Open the LEM console. See Log in to the LEM web console or Log in to the LEM desktop console for steps.

    Log into the SolarWinds LEM Manager as an administrator.
  2. Click Manage > Appliances.
  3. Locate your LEM Manager in the grid.
  4. Click button-gear(gray)_17x14.png  and select Connectors.
  5. In the Connector Configuration window, enter Websense Web Filter in the search box.
  6. Click button-gear(gray)_17x14.png​​​​​​​ next to the Websense Web Filter and Websense Web Security connector and click New.
  7. Replace the Alias value with a custom alias or accept the default.
  8. Click Save.
  9. Click button-gear(gray)_17x14.png​​​​​​​  next to the new connector instance and select Start.
  10. Click Close to close the Connector Configuration window.

Clone and enable the Known Spyware Site traffic rule

You can track when users attempt to access suspicious websites by partial or complete URL addresses by enabling the Known Spyware Site Traffic rule. This rule generates a HostIncident event by default you can use in conjunction with the Incidents report to notify auditors that you are auditing critical events on your network.

Before you enable this rule, ensure your proxy server transmits complete URL addresses to your LEM Manager by checking the URL field of any WebTrafficAudit event generated by your proxy server. If your proxy server does not log web traffic events with this level of detail, check the events coming from your firewalls, as they can sometimes be used for this rule as well.

  1. Open the LEM console. See Log in to the LEM web console or Log in to the LEM desktop console for steps.

    Log into the SolarWinds LEM Manager as an administrator.
  2. Click Build > Rules.
  3. Click Default Rules in the Refine Results pane.
  4. Enter Known Spyware Site Traffic in the Refine Results search box.
  5. Click  button-gear(gray)_17x14.png​​​​​​​  and select Clone.
  6. Select the folder where you want to save the cloned rule, and then click OK.
  7. Select Enable in the Rule Creation window.
  8. Click Save.
  9. On the main Rules screen, click Activate Rules.
Last modified

Tags

Classifications

Public