Splunk® Supported Add-ons

Splunk Add-on for Symantec Blue Coat ProxySG and ASG

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Configure logging in your Blue Coat ProxySG appliance for the Splunk Add-on for Symantec Blue Coat ProxySG

Work with your Blue Coat ProxySG administrator to determine how best to present the ProxySG logs to your Splunk platform instance for ingestion. You have three options:

  1. You can collect syslog data using a key-value format. This is the recommended format for use with syslog as the default bluecoat format is missing important information. The configs for configuring key-value logs have been provided in this topic.
  2. You can send batches of log files using FTP and configure your Splunk platform instance to monitor those files.
  3. You can push the logs continuously to the Splunk platform using syslog and the bcreportermain_v1 format. This format is only supported for Bluecoat ProxySG OS Versions 6.7.x and 7.3.x

If you have customized the fields or the order of the fields in your log, use the file monitoring input as a best practice.

Configure logging in your Blue Coat ProxySG appliance in the Key-Value format

Work with your Blue Coat ProxySG administrator to create a custom format for this type of data collection. Follow the steps below:

  1. Log in to the Blue Coat Management Console.
  2. Select Configuration > Access Logging > Formats.
  3. Select New.
  4. Type a format name for the custom format and paste the following configs: 
    <111>1 $(date)T$(x-bluecoat-hour-utc):$(x-bluecoat-minute-utc):$(x-bluecoat-second-utc)$(s-computername) bluecoat - splunk_format - c-ip=$(c-ip) rs-Content-Type=$(quot)$(rs(Content-Type))$(quot)  cs-auth-groups=$(cs-auth-groups) cs-bytes=$(cs-bytes) cs-categories=$(cs-categories) cs-host=$(cs-host) cs-ip=$(cs-ip) cs-method=$(cs-method) cs-uri-port=$(cs-uri-port) cs-uri-scheme=$(cs-uri-scheme) cs-User-Agent=$(quot)$(cs(User-Agent))$(quot) cs-username=$(cs-username) dnslookup-time=$(dnslookup-time) duration=$(duration) rs-status=$(rs-status) rs-version=$(rs-version) s-action=$(s-action) s-ip=$(s-ip) service.name=$(service.name) service.group=$(service.group) s-supplier-ip=$(s-supplier-ip) s-supplier-name=$(s-supplier-name) sc-bytes=$(sc-bytes) sc-filter-result=$(sc-filter-result) sc-status=$(sc-status) time-taken=$(time-taken) x-exception-id=$(x-exception-id) x-virus-id=$(x-virus-id) c-url=$(quot)$(url)$(quot) cs-Referer=$(quot)$(cs(Referer))$(quot) c-cpu=$(c-cpu) connect-time=$(connect-time) cs-auth-groups=$(cs-auth-groups) cs-headerlength=$(cs-headerlength) cs-threat-risk=$(cs-threat-risk) r-ip=$(r-ip) r-supplier-ip=$(r-supplier-ip) rs-time-taken=$(rs-time-taken) rs-server=$(rs(server)) s-connect-type=$(s-connect-type) s-icap-status=$(s-icap-status) s-sitename=$(s-sitename) s-source-port=$(s-source-port) s-supplier-country=$(s-supplier-country) sc-Content-Encoding=$(sc(Content-Encoding)) sr-Accept-Encoding=$(sr(Accept-Encoding)) x-auth-credential-type=$(x-auth-credential-type) x-cookie-date=$(x-cookie-date) x-cs-certificate-subject=$(x-cs-certificate-subject) x-cs-connection-negotiated-cipher=$(x-cs-connection-negotiated-cipher) x-cs-connection-negotiated-cipher-size=$(x-cs-connection-negotiated-cipher-size) x-cs-connection-negotiated-ssl-version=$(x-cs-connection-negotiated-ssl-version) x-cs-ocsp-error=$(x-cs-ocsp-error) x-cs-Referer-uri=$(x-cs(Referer)-uri) x-cs-Referer-uri-address=$(x-cs(Referer)-uri-address) x-cs-Referer-uri-extension=$(x-cs(Referer)-uri-extension) x-cs-Referer-uri-host=$(x-cs(Referer)-uri-host) x-cs-Referer-uri-hostname=$(x-cs(Referer)-uri-hostname) x-cs-Referer-uri-path=$(x-cs(Referer)-uri-path) x-cs-Referer-uri-pathquery=$(x-cs(Referer)-uri-pathquery) x-cs-Referer-uri-port=$(x-cs(Referer)-uri-port) x-cs-Referer-uri-query=$(x-cs(Referer)-uri-query) x-cs-Referer-uri-scheme=$(x-cs(Referer)-uri-scheme) x-cs-Referer-uri-stem=$(x-cs(Referer)-uri-stem) x-exception-category=$(x-exception-category) x-exception-category-review-message=$(x-exception-category-review-message) x-exception-company-name=$(x-exception-company-name) x-exception-contact=$(x-exception-contact) x-exception-details=$(x-exception-details) x-exception-header=$(x-exception-header) x-exception-help=$(x-exception-help) x-exception-last-error=$(x-exception-last-error) x-exception-reason=$(x-exception-reason) x-exception-sourcefile=$(x-exception-sourcefile) x-exception-sourceline=$(x-exception-sourceline) x-exception-summary=$(x-exception-summary) x-icap-error-code=$(x-icap-error-code) x-rs-certificate-hostname=$(x-rs-certificate-hostname) x-rs-certificate-hostname-category=$(x-rs-certificate-hostname-category) x-rs-certificate-observed-errors=$(x-rs-certificate-observed-errors) x-rs-certificate-subject=$(x-rs-certificate-subject) x-rs-certificate-validate-status=$(x-rs-certificate-validate-status) x-rs-connection-negotiated-cipher=$(x-rs-connection-negotiated-cipher) x-rs-connection-negotiated-cipher-size=$(x-rs-connection-negotiated-cipher-size) x-rs-connection-negotiated-ssl-version=$(x-rs-connection-negotiated-ssl-version) x-rs-ocsp-error=$(x-rs-ocsp-error) cs-uri-extension=$(cs-uri-extension) cs-uri-path=$(cs-uri-path) cs-uri-query=$(quot)$(cs-uri-query)$(quot) c-uri-pathquery=$(c-uri-pathquery)
  5. Test the format: A test format result window will popup and which should specify "Format Syntax Correct"
  6. Select TCP or SSL transport option.
  7. Click OK

Configure the BlueCoat ProxySG to send the generated logs to splunk

Configure a custom client

  1. Select Configuration>Access Logging> Logs>Upload Client
  2. Select the log from the dropdown menu
  3. Select Blue Coat Reporter Client from the Client type dropdown menu and click on setting
    • A settings window will pop up. From the "Settings for" drop-down list, select to configure the custom server you want to send the data.
    • Fill in the host and port fields, as appropriate.
  4. Click Ok.
  5. Click Apply.
  6. For each log format you wish to use among main, Splunk Recommended, select the log, assign the Upload Client to be the custom client.

Configure a custom schedule

For best results, configure your schedule to send the logs continuously rather than periodically.

  1. Select Configuration > Access Logging > Logs > Upload Schedule
    2. .
  2. Set the log schedule to produce logs continuously or periodically.
  3. Set the connect attempts and keep-alive log packets or use the default values.

Configure General Settings in the Logs

  1. Select Configuration > Access Logging > Logs > General Settings.
  2. Select the log and log format you have created in Access Logging > Format
  3. Click Ok
  4. Click Apply.

Configure the Client Manager

  1. Select Configuration > Client > General > Client Manager.
  2. Provide the following information:
    • Host: Enter the hostname or IP address of the upload destination.
    • Port: Enter the port of the upload destination.
    • Keyring: Select the keyring value from the drop down.
    • Interval: Enter the interval of the log collection.

Configure Blue Coat ProxySG to send batches of logs to a file

To monitor your logs in batched files, work with your admin to create a Log Facility to send logs to a file where your Splunk platform instance can monitor them. Follow the Blue Coat ProxySG documentation that matches your device and version.

  1. Select "FTP client" as the upload client for the Log Facility.
  2. Provide the IP address of the FTP server on which you have installed the Splunk node that is responsible for data collection.
  3. Specify a path for the logs.
  4. Set the log schedule to produce logs periodically rather than continuously.
  5. Follow the instructions to Configure inputs for the Splunk Add-on for Symantec Blue Coat ProxySG.

Configure Blue Coat ProxySG to push logs via syslog

To push your logs continuously to the Splunk platform using syslog, work with your Blue Coat ProxySG administrator to create a Log Facility to perform a syslog push. Follow the Blue Coat ProxySG documentation that matches your device and version.

  1. Select "Custom client" as the upload client for the Log Facility.
  2. Provide the IP address of the Splunk node that is responsible for data collection.
  3. Enter the port of the TCP input in your Splunk platform instance that you want to listen for this data.
  4. Set the log schedule to produce logs continuously rather than periodically.
  5. Specify for the log files to be in text format rather than saved as gzip files.
  6. Follow the instructions to Configure inputs for the Splunk Add-on for Symantec Blue Coat ProxySG.
Last modified on 15 September, 2022
PREVIOUS
Install the Splunk Add-on for Symantec Blue Coat ProxySG 		  NEXT
Configure inputs for the Splunk Add-on for Symantec Blue Coat ProxySG

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters