# Websense parser The Websense parser can parse the log messages of Websense Content Gateway (Raytheon|Websense, now Forcepoint). These messages do not completely comply with the syslog RFCs, making them difficult to parse. The `websense-parser()` of AxoSyslog solves this problem, and can separate these log messages to name-value pairs. For details on using value-pairs in AxoSyslog see [Structuring macros, metadata, and other value-pairs](../../docs/axosyslog-core/chapter-concepts/concepts-value-pairs/index.md). The parser can parse messages in the following format: ``` ``` For example: ``` <159>Dec 19 10:48:57 EST 192.168.1.1 vendor=Websense product=Security product_version=7.7.0 action=permitted severity=1 category=153 user=- src_host=192.168.2.1 src_port=62189 dst_host=example.com dst_ip=192.168.3.1 dst_port=443 bytes_out=197 bytes_in=76 http_response=200 http_method=CONNECT http_content_type=- http_user_agent=Mozilla/5.0_(Windows;_U;_Windows_NT_6.1;_enUS;_rv:1.9.2.23)_Gecko/20110920_Firefox/3.6.23 http_proxy_status_code=200 reason=- disposition=1034 policy=- role=8 duration=0 url=https://example.com ``` If you find a message that the `websense-parser()` cannot properly parse, [contact us](), so we can improve the parser. The AxoSyslog application sets the `${PROGRAM}` field to `Websense`. By default, the websense-specific fields are extracted into name-value pairs prefixed with `.websense`. For example, the `product_version` in the previous message becomes `${.websense.product_version}`. You can change the prefix using the `prefix` option of the parser. ## Declaration: ``` @version: 4.25 @include "scl.conf" log { source { network(flags(no-parse)); }; parser { websense-parser(); }; destination { ... }; }; ``` Note that you have to disable message parsing in the source using the `flags(no-parse)` option for the parser to work. The `websense-parser()` is actually a reusable configuration snippet configured to parse websense messages. For details on using or writing such configuration snippets, see [Reusing configuration blocks](../../docs/axosyslog-core/chapter-configuration-file/large-configs/config-blocks/index.md). You can find the source of this configuration snippet on [GitHub](). ## prefix() | ---|--- Synopsis: | prefix() _Description:_ Insert a prefix before the name part of the parsed name-value pairs to help further processing. For example: * To insert the `my-parsed-data.` prefix, use the `prefix(my-parsed-data.)` option. * To refer to a particular data that has a prefix, use the prefix in the name of the macro, for example, `${my-parsed-data.name}`. * If you forward the parsed messages using the IETF-syslog protocol, you can insert all the parsed data into the SDATA part of the message using the `prefix(.SDATA.my-parsed-data.)` option. Names starting with a dot (for example, `.example`) are reserved for use by AxoSyslog. If you use such a macro name as the name of a parsed value, it will attempt to replace the original value of the macro (note that only soft macros can be overwritten, see [Hard versus soft macros](../../docs/axosyslog-core/chapter-manipulating-messages/customizing-message-format/macros-hard-vs-soft/index.md) for details). To avoid such problems, use a prefix when naming the parsed values, for example, `prefix(my-parsed-data.)` By default, `websense-parser()` uses the `.websense.` prefix. To modify it, use the following format: ``` parser { websense-parser(prefix("myprefix.")); }; ``` Last modified October 16, 2025: [Fix @version config numbers in examples (89688d87)]()