Submit a ticketCall us

Looking to compare latest NPM features with previous versions of NPM?
The NPM new feature summary offers a comparison of new features and improvements offered with this release.

 

Home > Success Center > Log & Event Manager (LEM) > SolarWinds LEM 6.3 User Guide > Monitoring network security with LEM > Monitor proxy servers for suspicious URL access

Monitor proxy servers for suspicious URL access

Monitor proxy servers to track network users who attempt to access suspicious websites using partial or complete URL addresses. Configure your proxy server to log to your SolarWinds LEM appliance and set up the appropriate connector on your SolarWinds LEM manager.

Set your proxy server to log to a virtual appliance

Set your proxy server to log to your LEM virtual appliance to centralize its log data with your LEM events. You can integrate proxy servers from popular vendors such as Websense and Barracuda.

Because the integration process is different for each vendor, each proxy server is documented separately in the SolarWinds Success Center. If a knowledge base article is not available, contact Customer Support.

Configure a proxy server connector on a LEM manager

After you configure your proxy server to log to your LEM appliance, configure the corresponding connector on your LEM Manager. Many of the proxy server connectors are similar with some unique settings.

The following procedure describes how to set up a connector for a Websense proxy server. You can find instructions for additional firewall connectors in the SolarWinds knowledge base.

  1. Open the console and log in to the LEM Manager as an administrator.
  2. Click Manage > Appliances.
  3. Locate your LEM manager in the grid.
  4. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0A0/040/Button-Gear(Gray)_17x14.png and select Connectors.
  5. In the Connector Configuration window, enter Websense Web Filter in the search box.
  6. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0A0/040/Button-Gear(Gray)_17x14.png next to the Websense Web Filter and Websense Web Security connector and click New.
  7. Replace the Alias value with a custom alias or accept the default.
  8. Click Save.
  9. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0A0/040/Button-Gear(Gray)_17x14.png next to the new connector instance and select Start.
  10. Click Close to close the Connector Configuration window.

Clone and enable the Known Spyware Site traffic rule

You can track when users attempt to access suspicious websites by partial or complete URL addresses by enabling the Known Spyware Site Traffic rule. This rule generates a HostIncident event by default you can use in conjunction with the Incidents report to notify auditors that you are auditing critical events on your network.

Before you enable this rule, ensure your proxy server transmits complete URL addresses to your LEM manager by checking the URL field of any WebTrafficAudit event generated by your proxy server. If your proxy server does not log web traffic events with this level of detail, check the events coming from your firewalls, as they can sometimes be used for this rule as well.

  1. Open the console and log into the LEM manager as an administrator.
  2. Click Build > Rules.
  3. Click Default Rules in the Refine Results pane.
  4. Enter Known Spyware Site Traffic in the Refine Results search box.
  5. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0A0/040/Button-Gear(Gray)_17x14.png and select Clone.
  6. Select the folder where you want to save the cloned rule, and then click OK.
  7. Select Enable in the Rule Creation window.
  8. Click Save.
  9. On the main Rules screen, click Activate Rules.

 

 

 
Last modified
17:09, 26 Jan 2017

Tags

This page has no custom tags.

Classifications

Public