Yes, right now we have three of the big boys... the WW2900E 2U models, with the potential of growing that count to support our enterprise globally.
I've done the UDS class and am familiar with the daunting task of coding it all out. Although I must say I've been impressed with the Graphical UDS Editor. It does not however, convince me strongly enough that I might have the weeks and months of uninterupted time to code out all the possible events generated by Webwasher that I'm intertested in. Last I had heard the individual(s) at RSA who wrote the Graphical UDS Editor were going to add functionality that would allow you to continue where you had last left off (when I saw it last you had to write everything at once... in one sitting, and hit save file to get your xml.). But on the bright side, Winter is just arround the corner and if they get that feature added in, I might have the time and would be more interested in taking a crack at it also. Maybe in phases.
Do you have webwashers?
Have you voiced your need/desire with enVision to make it an officially supported Event Source?
Great information. I was actually in contact with some of the people at Secure Computing trying to get some webwasher logs to create some UDS for them. You are correct in that there are almost endless possibilities on what someone might want done with a webwasher log. It sounds like you have somewhat tamed the beast. I will let you know how I make out.
If I may ask, what are you using enVision to look for from WebWasher?
Well actually I don't. I'm not using envision for any of it yet. Thats the problem. It's not an officially supported device, and the associated workload to do it in-house via UDS is way to much at the moment. But my oh' my, the types of things we could correlate against! We're deploying them as web proxies (at the moment), so my first priority would be around outbound web usage, both successful and denied, but that just scratches the surface for what webwasher can do, as you already know. It's like a 10-in-1 tool.
Which is basically why i posted this thread... i wanted to inquire if any other enVision customers out there use webwasher and would be interested in having it as a supported device. if there's enough response, they'll give it harder consideration (or so I hope).
I've gotten the UDS
done started enough to be tolerated for our Webwashers. I only wrote one message definition specific for the HTTP Access logs so we can get them leveraged by WebAccounting table. Since Webwashers have half a dozen different log files, and within each you can modify the field construction pattern to suit your needs, I only wrote what we need, and yes we have a modified format.
So, the attached XML should work for the HTTPAccess.log only if you specify the following field construction pattern inside the Webwasher. For MessageID, we added a "#static_MessageID" field at the beginning (reference your Webwasher documentation) and prepopulated it with a string of text to use for all web traffic events. I think we used "http_access_log"
#static_MessageID src_ip src_host auth_user time_stamp "req_line" status_code bytes_to_client bytes_from_client elapsed_time "referer" "user_agent" policy block_res rep_level "categories" server_ip server_name url_port protocol media_type content_length cache_status virus_name
Notice there are two files, one for 4.0.0 and one for 3.5.2. There was a table change to WebAccounting table in 4.0.0, they added a user_agent field, so the XML's accomodate for this. Back on 3.5.2 I was throwing the user agent string into the category field (256 chars).
Oh, and you'll probably also need to modify the header definition to account for whatever you set the Filereader service up as. Ours was "RCWEBWASHER".
Any questions let me know,