Splunk® Supported Add-ons

Splunk Add-on for Symantec Blue Coat ProxySG and ASG

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Configure inputs for the Splunk Add-on for Symantec Blue Coat ProxySG

On the node responsible for your data collection, configure the input type that matches your configurations in your Blue Coat ProxySG SGOS administration console.

Configure a file monitor input in Splunk Web

  1. Follow the steps described in Monitor files and directories wth Splunk Web.
  2. Configure sourcetype as bluecoat:proxysg:access:file.

Configure a syslog input for bcereportermain_vi in Splunk Web

  1. Configure a syslog input as described in Add a network input using Splunk Web
  2. Set the sourcetype as bluecoat:proxysg:access:syslog.

Configure a syslog input for KV mode using Splunk Connect for Syslog

To configure inputs using Splunk Connect for Syslog, see the documentation at https://splunk-connect-for-syslog.readthedocs.io/en/master/sources/Symantec/#product-proxysgasg-bluecoat

Configure a syslog input for KV mode using Splunk Web

  1. Configure a syslog input as described in Add a network input using Splunk Web
  2. Set the sourcetype as bluecoat:proxysg:access:kv

Configure a file monitor input

  1. Open or create $SPLUNK_HOME/etc/apps/Splunk_TA_bluecoat-proxysg/local/inputs.conf.
  2. Copy and paste the following stanza into the file: 
    [monitor://<log path>]
sourcetype = bluecoat:proxysg:access:file
disabled = false
  3. Replace <log path> with the log path, file name, and extension that you configured when you set up your Log Facility in SGOS to send logs over FTP.
  4. Save the file.
  5. If you are using forwarders, configure forwarding by defining tcp outputs and then enabling a receiver.
  6. Restart the Splunk platform. If you have a distributed deployment, restart your forwarders and indexers.

Configure a syslog input

  1. Open or create $SPLUNK_HOME/etc/apps/Splunk_TA_bluecoat-proxysg/local/inputs.conf.
  2. If you are using TCP, copy and paste the following stanza into the file: 
    [tcp://514]
source = tcp.bluecoat
sourcetype = bluecoat:proxysg:access:syslog
disabled = false
  3. If you are using UDP, copy and paste the following stanza into the file. 
    [udp://514]
source = udp.bluecoat
sourcetype = bluecoat:proxysg:access:syslog
disabled = false
  4. If you configured a port number other than 514 when set up your Log Facility in SGOS to push logs continuously over syslog, change the port number in the stanza heading to match.
  5. Save the file.
    1. If you are using forwarders, configure forwarding by defining tcp outputs and then enabling a receiver.
  6. Restart the Splunk platform. If you have a distributed deployment, restart your forwarder and indexers.

Verify your input is working

If you have a distributed deployment, go to your search head. Perform the following search to check that the Splunk platform is indexing events from your Blue Coat ProxySG logs:

sourcetype=bluecoat:proxysg:access*

Last modified on 11 March, 2021
PREVIOUS
Configure logging in your Blue Coat ProxySG appliance for the Splunk Add-on for Symantec Blue Coat ProxySG 		  NEXT
Configure logging for backward compatibility with Symantec Blue Coat ProxySG

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters