KB Article | Forcepoint Support

Notes & Warnings

Important
  • The following steps detail enabling the TestLogServer utility to collect of important diagnostic data. While collecting data, no traffic is logged to your Reporting Database.
  • After completing your diagnostics, restart Log Server to resume logging to your Reporting Database. If TestLogServer was ran on a separate machine from Log Server, then open Forcepoint Security Manager and reset the Logging IP address back to the original IP.
To not lose logging data while running TestLogServer, see Running TestLogServer Without Stopping Log Server Service.
 

Problem Description

How do I use TestLogServer to evaluate and troubleshoot security policy issues?
 

Resolution

TestLogServer is a command-line utility that displays log traffic sent from Filtering Service to Log Server. You can easily identify Web filtering and/or logging issues by viewing this logging traffic.
  • The TestLogServer utility listens on port 55805, which is the same port used by Log Server. If you start TestLogServer utility on the same machine with Log Server, while Log Server service is running, then you will receive a  Could not bind to port 55805 message as shown:
     
User-added image
  • Your options to avoid this error are:
    • Stop Log Server service. This resolution results in the loss of logging data while Log Service is stopped.
    • Allow TestLogServer to capture traffic on an alternate port. This resolution allows Web filtering to continue logging to your reporting database while running the TestLogServer utility. For details, see Running TestLogServer Without Stopping Log Server Service.

For Web v7.x-8.5 and later in Windows:

  1. Prepare your system to log to TestLogServer:
  • If Log Server and Filtering Service are on separate machines, then configure Filtering Service to log locally.
    1. Open Forcepoint Security Manager.
    2. Navigate to Settings > General > Logging.
    3. Change the identity of the Log Server to 127.0.0.1.
    4. Click OK and Save and Deploy.
  • If Log Server and Filtering Service are on the same machine, stop the Log Server service.
    1. Open Services via run command services.msc
    2. Locate Websense Log Server, right-click and select Stop.
Important Logging to the Log Database will not occur while the Log Server service is stopped.

 

  1. Run TestLogServer on the Filtering Service machine:
    1. Open command prompt as an administrator.
    2. Type cd <drive and folder>Websense\Web Wecurity\bin
    3. Choose how to run TestLogServer:
  • To see log traffic, type:
TestLogServer
 
This command dumps ALL logging traffic to the window. Logging data populates the command prompt window as outgoing requests are received.
  • To log data to a text file, type:
TestLogServer -file logfile.txt

This command log ALL data to the window while also writing the same data to logfile.txt located in the Websense\Web Security\bin folder.
  • To log data from a specific client, type:
TestLogServer -onlyip <IP address>
 
Replace <IP address> with the client machine's IP address. This command populates the window with data as outgoing requests are received from the specific client machine.
  • To log traffic from a single client machine to a text file, type:
TestLogServer -onlyip <IP address> -file logfile.txt

This command populates the DOS window and log file as outgoing requests are received from the specific client machine.
  1. Press Ctrl+C to stop TestLogServer.
  2. Review the logfile.txt in the Websense\Web Security\bin directory. Search the specific sites visited for further analysis.
Note For easy analysis, TestLogServer is generally run by combining the previous two suggestions: Receiving traffic from a single machine and logging data to a text file.
  1. If you configured the identity of Log Server to 127.0.0.1 (localhost), revert the change.
    1. Open Forcepoint Security Manager.
    2. Navigate to Settings > General > Logging.
    3. Change the identity of the Log Server to the previous IP present.
    4. Click OK and Save and Deploy.
  2. If Log Server was stopped, start the service again. 
    1. Open Services via run command services.msc
    2. Locate Websense Log Server, right-click and select Start.

 
For Web v7.x-8.5 and later in Linux:

 
Important While the Filtering Service component can be installed on either Windows or Linux platforms, Log Server is only supported on Windows. In the following instructions, Filtering Service is on a Software Content Gateway Linux machine. The compatible TestLogServer command on Linux is WebsenseTools -t.

If using an appliance, raise a case with Technical Support for assistance. 
  

  1.  Prepare your system to log to TestLogServer:
For Log Server and Filtering Service that are on separate machines, configure Filtering Service to log locally.
  1. Open Forcepoint Security Manager.
  2. If using a different Policy Server, use the Switch button and select the correct Policy Server IP address.
  3. Navigate to Settings > General > Logging.
  4. Change the identity of the Log Server to 127.0.0.1.
  5. Click OK and Save and Deploy.
  1. Run TestLogServer on the Filtering Service machine:
  1. SSH to the Content Gateway
  2. Type cd /opt/Websense
  3. Choose how to run TestLogServer:
    • To see log traffic, type:
./WebsenseTools -t

This command dumps ALL logging traffic to the terminal window. Logging data populates the window as outgoing requests are received.
  • To log the data to a text file, type:
./WebsenseTools -t -file log.txt
 
Logging data is written to a file called log.txt located in the /opt/Websense/bin directory.
  • To log traffic from a single client machine, type:
./WebsenseTools -t -onlyip <IP address>

Replace <IP address> with the client machine's IP address. This command populates the window with data as outgoing requests are received from the specific client machine.
  • To log traffic from a single client machine to a text file, enter:
./WebsenseTools -t -onlyip <IP address> -file log.txt

This command populates the window and log file as outgoing requests are received from the specific client machine.
  1. Press Ctrl+C to stop TestLogServer.
  2. Review the log.txt in the /opt/Websense/bin directory. Search the specific sites visited for further analysis.
Note For easy analysis, TestLogServer is generally run by combining the previous two suggestions: Receiving traffic from a single machine and logging data to a text file.
 
  1. If you configured the identity of Log Server to 127.0.0.1 (localhost), revert the change.
    1. Open Forcepoint Security Manager.
    2. Navigate to Settings > General > Logging.
    3. Change the identity of the Log Server to the previous IP present.
    4. Click OK and Save and Deploy.

Additional Information 
  
TestLogServer is one of several diagnostic utilities included as part of your Forcepoint installation, and can be used to diagnose the following issues.
  • Incorrect filtering
  • Incorrect authentication
  • Incorrect policy application
  • Logging issues
  • Problems with URL categorization
  • Protocol identification
The following is a sample of traffic sent to the TestLogServer:

time= Sun Sep 18 17:04:48 2018   version= 5
server= 10.212.9.212  source= 10.212.9.212  dest= 174.76.227.94
URL= 
http://www.microsoft.com
protocol= 1 - http  port= 80  networkDirection= Inbound
method=
contentType =
category= 9 - INFORMATION TECHNOLOGY
categoryReason= 0 - CatNone
disposition= 1026 - Category Not Blocked
roleId= 0
user= WinNT://Domain/user
bytes sent= 421  bytes received= 341
  duration= 142000 ms   scan duration= 0 ms
policyName=
 
 
 
The following data is displayed in TestLogServer:
  • time: exact time that the request was generated (from the Filtering Service machine).
  • server: IP address of the Filtering Service machine.
  • source: IP address of the requesting workstation. Use this information to verify that Filtering Service is seeing the correct traffic.
  • dest: IP address (destination) of the requested URL. Incorrect or missing data can indicate DNS issues (in which case filtering will not occur properly).
  • protocol: protocol (http, ftp, etc.) associated with the request. In the case of non-http filtering, this value can indicate whether or not Filtering Service is classifying protocols correctly.
  • url: destination URL for the request.
  • port: number of the port that the connection attempted to use.
  • category: Forcepoint category of the requested URL. Determine if the category of this site is correct. If it is not, you may decide to submit it to the Forcepoint database team for recategorization, or you might recategorize it yourself in Forcepoint Security Manager as a custom URL.
  • disposition: how the request was handled by Filtering Service. Use this value to determine if Filtering Service blocked or permitted the site according to the filtering policy you applied.
  • keyword: indicates the keyword used to block a request
  • user: authenticated user name
  • bytes: displays bytes sent and bytes received. These values may indicate performance problems with Filtering Service.
  • Duration: The total time, in seconds, that it took to retrieve the HTML data and images from the actual site. This does not include time spent viewing the site once it has been completely loaded onto the user's machine. This information is passed to Forcepoint by the Integration. Certain integrations such as PIX does not currently have the ability to do this, so Network Agent is installed to pass Bytes Transferred and Duration.
  • Policy Name: The Policy name. This data may not be available in your Forcepoint version.
 
To see a full listing options, type TestLogServer -help. The output follows:
 
C:\Program Files (x86)\Websense\Web Security\bin>TestLogServer -help
 
TestLogServer version 8.5.0
 
Usage: TestLogServer [-help] [-raw] [-noprettyprint] [-nopp] [-file filename]
                     [-port portNumber] [-forward addr:port] [-version1]
                     [-onlyip ip]  [-iprange start_ip end_ip]
 
Options:
   -help               Display this help information
   -raw                Display raw received data
   -noprettyprint      Don't display formatted information
   -nopp               Same as -noprettyprint
   -file filename      Write received information into a file
   -port portNumber    Port to listen on
   -forward addr:port  Forward data to another log server at addr:port
   -onlyip             Only display records from this source address
   -iprange            Only display records from sources in this IP range
 

Article Feedback



Thank you for the feedback and comments.