Splunk® Supported Add-ons

Splunk Add-on for Symantec Blue Coat ProxySG and ASG

Download manual as PDF

Download topic as PDF

Configure inputs for the Splunk Add-on for Symantec Blue Coat ProxySG

On the node responsible for your data collection, configure the input type that matches your configurations in your Blue Coat ProxySG SGOS administration console.

Configure a file monitor input

  1. Open or create $SPLUNK_HOME/etc/apps/Splunk_TA_bluecoat-proxysg/local/inputs.conf.
  2. Copy and paste the following stanza into the file: 
    [monitor://<log path>]
source = file.bluecoat
sourcetype = bluecoat:proxysg:access:file
disabled = false
  3. Replace <log path> with the log path, file name, and extension that you configured when you set up your Log Facility in SGOS to send logs over FTP.
  4. Save the file.
  5. If you are using forwarders, configure forwarding by defining tcp outputs and then enabling a receiver.
  6. Restart the Splunk platform. If you have a distributed deployment, restart your forwarders and indexers.

Configure a syslog input

  1. Open or create $SPLUNK_HOME/etc/apps/Splunk_TA_bluecoat-proxysg/local/inputs.conf.
  2. If you are using TCP, copy and paste the following stanza into the file: 
    [tcp://514]
source = tcp.bluecoat
sourcetype = bluecoat:proxysg:access:syslog
disabled = false
  3. If you are using UDP, copy and paste the following stanza into the file. 
    [udp://514]
source = udp.bluecoat
sourcetype = bluecoat:proxysg:access:syslog
disabled = false
  4. If you configured a port number other than 514 when set up your Log Facility in SGOS to push logs continuously over syslog, change the port number in the stanza heading to match.
  5. Save the file.
    1. If you are using forwarders, configure forwarding by defining tcp outputs and then enabling a receiver.
  6. Restart the Splunk platform. If you have a distributed deployment, restart your forwarder and indexers.

Verify your input is working

If you have a distributed deployment, go to your search head. Perform the following search to check that the Splunk platform is indexing events from your Blue Coat ProxySG logs:

sourcetype=bluecoat:proxysg:access*

PREVIOUS
Configure logging in your Blue Coat ProxySG appliance for the Splunk Add-on for Symantec Blue Coat ProxySG 		  NEXT
Configure logging for backward compatibility with Symantec Blue Coat ProxySG

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters