Configure LEM to monitor proxy servers for suspicious URL access in LEM

Monitor proxy servers to track network users who attempt to access suspicious websites using partial or complete URL addresses. Configure your proxy server to log to LEM and set up the appropriate connector on your SolarWinds LEM Manager.

Set your proxy server to log to a virtual appliance

Set your proxy server to log to LEM to centralize its log data with your LEM events. You can integrate proxy servers from popular vendors such as Websense and Barracuda.

Because the integration process is different for each vendor, each proxy server is documented separately in the SolarWinds Success Center. If a knowledge base article is not available, contact Customer Support.

Configure a proxy server connector on a LEM Manager

After you configure your proxy server to log to your LEM appliance, configure the corresponding connector on your LEM Manager. Many of the proxy server connectors are similar with some unique settings.

The following procedure describes how to set up a connector for a Websense proxy server. You can find instructions for additional firewall connectors in the SolarWinds knowledge base.

  1. Open the console and log in to the LEM Manager as an administrator.
  2. On the LEM toolbar, navigate to Manage > Appliances.
  3. Locate your LEM Manager in the grid.
  4. Click , and then select Connectors.
  5. In the Connector Configuration window search box, enter Websense Web Filter.
  6. Next to the Websense Web Filter and Websense Web Security connector, click , and then click New.
  7. Replace the Alias value with a custom alias or accept the default.
  8. Click Save.
  9. Next to the new connector instance, click , and then select Start.
  10. To close the Connector Configuration window, click Close.

Clone and enable the Known Spyware Site traffic rule

You can track when users attempt to access suspicious websites by partial or complete URL addresses by enabling the Known Spyware Site Traffic rule. This rule generates a HostIncident event by default you can use in conjunction with the Incidents report to notify auditors that you are auditing critical events on your network.

Before you enable this rule, ensure your proxy server transmits complete URL addresses to your LEM Manager by checking the URL field of any WebTrafficAudit event generated by your proxy server. If your proxy server does not log web traffic events with this level of detail, check the events coming from your firewalls, as they can sometimes be used for this rule as well.

  1. Open the console and log into the LEM Manager as an administrator.
  2. On the LEM toolbar, navigate to Build > Rules.
  3. In the Refine Results pane, click Default Rules.
  4. In the Refine Results search box, enter Known Spyware Site Traffic.
  5. Click , and then select Clone.
  6. Select the folder where you want to save the cloned rule, and then click OK.
  7. In the Rule Creation window, select Enable, and then click Save.
  8. On the main Rules screen, click Activate Rules.