Splunk® Supported Add-ons

Splunk Add-on for Symantec Blue Coat ProxySG and ASG

Release history for the Splunk Add-on for Symantec Blue Coat ProxySG

The latest version of the Splunk Add-on for Symantec Blue Coat ProxySG is version 3.8.1. See Release notes for the Splunk Add-on for Symantec Blue Coat ProxySG for release notes of this latest version.

Version 3.8.0

Version 3.8.0 of the Splunk Add-on for Symantec Blue Coat ProxySG was released in January 2022.

Compatibility

Splunk platform versions ,8.1,8.2
CIM
Platforms Platform independent
Vendor Products Bluecoat ProxySG version OS 6.7.5, 7.2.2.1,7.3.x

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New Features

Version 3.8.0 of the Splunk Add-on for Symantec Bluecoat ProxySG has the following new features:

  • Support for Bluecoat ProxySG version 6.7.5 and 7.2.2.1 has been added to sourcetypes bluecoat:proxysg:access:file and bluecoat:proxysg:access:kv.

Additional Notes

Please note the following changes in this release:


source sourcetype fields added
6.7.x.log bluecoat:proxysg:access:syslog cs_host
cs_host
bytes_in
time
uri_path
cs_auth_group
cs_method
x_bluecoat_transaction_uuid
http_user_agent
cs_categories
date
x_bluecoat_application_name
vendor_categories
cs_uri_extension
http_referrer
x_icap_respmod_header
sc_status
x_virus_id
cs_uri_query
s_supplier_name
sc_filter_result
http_method
cs_User_Agent
dest_port
x_access_security_policy_reason
src
category
action
uri_query
http_referrer_domain
url_domain
cs_Referer
s_supplier_failures
dest_host
dvc
x_bluecoat_application_groups
s_action
s_ip
cs_bytes
bytes_out
cs_uri_port
http_content_type
sc_bytes
user
cs_username
dest
cs_uri_path
http_user_agent_length
transport
x_icap_reqmod_header
time_taken
status
x_access_security_policy_action
duration
s_supplier_country
bytes
x_bluecoat_application_operation
cs_threat_risk
cs_uri_scheme
rs_Content_Type
url
x_exception_id
c_ip
vendor_action
s_supplier_ip
7.3.x.log bluecoat:proxysg:access:kv url_domain
bw3c.log bluecoat:proxysg:access:file http_referrer_domain
url_domain

Upgrade

If you are using only one specific version of Blue Coat logs, you can comment out the Report-auto_kv lines for the unused versions in default/props.conf to improve search performance.

Fixed issues

Version 3.8.0 of the Splunk Add-on for Symantec Blue Coat ProxySG has the following fixed issues. If no issues are listed, no issues have yet been reported:


Known issues

Version 3.8.0 of the Splunk Add-on for Symantec Blue Coat ProxySG has the following known issues. If no issues are listed, no issues have yet been reported:


Date filed Issue number Description
2022-05-25 ADDON-52250 Correct mapping of destination IP

Workaround:
Updating extractions of dest and dest_ip in the props.conf file

Third-party software attributions

Version 3.7.0 of the Splunk Add-on for Symantec Blue Coat ProxySG does not incorporate any third-party software or libraries.

Version 3.7.0

Version 3.7.0 of the Splunk Add-on for Symantec Blue Coat ProxySG was released on October 20, 2019.

Compatibility

Splunk platform versions 8.0.0, 7.3.x, 7.2.x
CIM 4.17
Platforms Platform independent
Vendor Products Bluecoat ProxySG version OS 5.3.3, 6.5.x, 6.6.3.2, 6.6.4.2, 6.7.5, 7.2.2.1

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New Features

Version 3.7.0 of the Splunk Add-on for Symantec Bluecoat ProxySG has the following new features:

  • Support for Bluecoat ProxySG version 6.7.5 and 7.2.2.1 has been added to sourcetypes bluecoat:proxysg:access:file and bluecoat:proxysg:access:kv.

Additional Notes

Please note the following changes in this release:

  • bcereportermain_v1 configurations for the bluecoat:proxysg:syslog sourcetype is supported only for versions 5.3.3, 6.5.x, 6.6.3.2, 6.6.4.2.
  • bluecoat:proxysg:access:kv is recommended for collecting syslog data going forward.
  • The eventtype bluecoat_traffic_monitor is removed from this release.
  • The Web CIM field category is now a single-value field instead of a multi-value. The multi-value is now captured in vendor_categories.
  • inputs.conf in the default directory is no longer shipped in the add-on,
  • Support for the following fields have been removed:
    • cs_Cookie
    • cs_host
    • c_port
    • s_port
    • cs_ip
    • cs_protocol
    • c_pkts_received
    • s_session_id

Upgrade

If you are using only one specific version of Blue Coat logs, you can comment out the Report-auto_kv lines for the unused versions in default/props.conf to improve search performance.

Unlike previous versions, versions 3.5.0 and above of the Splunk Add-on for Symantec Blue Coat ProxySG do not support Blue Coat version 5.3.3 logs by default. If you want to ingest version 5.3.3 logs, complete these steps:

  1. Open or create a local/props.conf file.
  2. Open default/props.conf.
  3. Copy the #REPORT-auto_kv_for_bluecoat_v5 = auto_kv_for_bluecoat_v5_3_3 line in the bluecoat:proxysg:access:syslog stanza in default/props.conf.
  4. Paste the #REPORT-auto_kv_for_bluecoat_v5 = auto_kv_for_bluecoat_v5_3_3 line in the bluecoat:proxysg:access:syslog stanza into local/props.conf.
  5. Uncomment the #REPORT-auto_kv_for_bluecoat_v5 = auto_kv_for_bluecoat_v5_3_3 line in local/props.conf.

Fixed issues

Version 3.7.0 of the Splunk Add-on for Symantec Blue Coat ProxySG has the following fixed issues. If no issues follow, no issues have yet been reported:


Known issues

Version 3.7.0 of the Splunk Add-on for Symantec Blue Coat ProxySG has the following known issues. If no issues follow, no issues have yet been reported:


Third-party software attributions

Version 3.7.0 of the Splunk Add-on for Symantec Blue Coat ProxySG does not incorporate any third-party software or libraries.

Version 3.6.0

Version 3.6.0 the Splunk Add-on for Symantec Blue Coat ProxySG was released on October 21, 2019.

Compatibility

Splunk platform versions 7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0.0
CIM 4.12
Platforms Platform independent
Vendor Products Bluecoat ProxySG OS 5.3.3, 6.5.x, 6.6.3.2, 6.6.4.2

Upgrade

If you are using only one specific version of Blue Coat logs, you can comment out the Report-auto_kv lines for the unused versions in default/props.conf to improve search performance.

Unlike previous versions, versions 3.5.0 and above of the Splunk Add-on for Symantec Blue Coat ProxySG do not support Blue Coat version 5.3.3 logs by default. If you want to ingest version 5.3.3 logs, complete these steps:

  1. Open or create a local/props.conf file.
  2. Open default/props.conf.
  3. Copy the #REPORT-auto_kv_for_bluecoat_v5 = auto_kv_for_bluecoat_v5_3_3 line in the bluecoat:proxysg:access:syslog stanza in default/props.conf.
  4. Paste the #REPORT-auto_kv_for_bluecoat_v5 = auto_kv_for_bluecoat_v5_3_3 line in the bluecoat:proxysg:access:syslog stanza into local/props.conf.
  5. Uncomment the #REPORT-auto_kv_for_bluecoat_v5 = auto_kv_for_bluecoat_v5_3_3 line in local/props.conf.

New Features

Version 3.6.0 of the Splunk Add-on for Symantec Bluecoat ProxySG has the following new features:

  • Support for the bluecoat:proxysg:access:kv sourcetype.

Fixed issues

Version 3.6.0 of the Splunk Add-on for Symantec Blue Coat ProxySG has the following fixed issues. If no issues follow, no issues have yet been reported:


Known issues

Version 3.6.0 of the Splunk Add-on for Symantec Blue Coat ProxySG has the following known issues. If no issues follow, no issues have yet been reported:


Third-party software attributions

Version 3.6.0 of the Splunk Add-on for Symantec Blue Coat ProxySG does not incorporate any third-party software or libraries.

Version 3.5.0

Version 3.5.0 of the Splunk Add-on for Symantec Blue Coat ProxySG was released on October 29, 2018.

Compatibility

Splunk platform versions 6.6.x, 7.0.x, 7.1.x, 7.2.x
CIM 4.12
Platforms Platform independent
Vendor Products Bluecoat ProxySG OS 5.3.3, 6.5.x, 6.6.3.2, 6.6.4.2

Upgrade

If you are using only one specific version of Blue Coat logs, you can comment out the Report-auto_kv lines for the unused versions in default/props.conf to improve search performance.

Unlike previous versions, version 3.5.0 of the Splunk Add-on for Symantec Blue Coat ProxySG does not support Blue Coat version 5.3.3 logs by default. If you want to ingest version 5.3.3 logs, complete these steps:

  1. Open or create a local/props.conf file.
  2. Open default/props.conf.
  3. Copy the #REPORT-auto_kv_for_bluecoat_v5 = auto_kv_for_bluecoat_v5_3_3 line in the bluecoat:proxysg:access:syslog stanza in default/props.conf.
  4. Paste the #REPORT-auto_kv_for_bluecoat_v5 = auto_kv_for_bluecoat_v5_3_3 line in the bluecoat:proxysg:access:syslog stanza into local/props.conf.
  5. Uncomment the #REPORT-auto_kv_for_bluecoat_v5 = auto_kv_for_bluecoat_v5_3_3 line in local/props.conf.

New Features

Version 3.5.0 of the Splunk Add-on for Symantec Bluecoat ProxySG has the following new features:

  • Improved load balancing on the universal forwarder
  • Support for Bluecoat ProxySG 6.6.x.x

Fixed issues

Version 3.5.0 of the Splunk Add-on for Symantec Blue Coat ProxySG has the following fixed issues. If no issues follow, no issues have yet been reported:


Known issues

Version 3.5.0 of the Splunk Add-on for Symantec Blue Coat ProxySG has the following known issues. If no issues follow, no issues have yet been reported:


Third-party software attributions

Version 3.5.0 of the Splunk Add-on for Symantec Blue Coat ProxySG does not incorporate any third-party software or libraries.


Version 3.4.2

Version 3.4.2 of the Splunk Add-on for Blue Coat ProxySG was released on April 1, 2016. Version 3.4.2 of the Splunk Add-on for Blue Coat ProxySG is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.3 and later
CIM 4.2 and later
Platforms Platform independent
Vendor Products Blue Coat ProxySG 5.3.3 and 6.5.x

Upgrade from 3.4.0 or 3.4.1 to 3.4.2

There are no upgrade issues if you are upgrading from version 3.4.0 or 3.4.1 to 3.4.2.

New Installation

If you are installing the Splunk Add-on for Blue Coat ProxySG for the first time and you also use Splunk Enterprise Security, follow the instructions in this section.

The Splunk Add-on for Blue Coat ProxySG replaces TA-bluecoat, released only as a component of the Splunk Enterprise Security app. If you have Splunk Enterprise Security installed, disable the inputs for TA-bluecoat to allow this new add-on to take over. Back up any local configurations for TA-bluecoat before you install this new add-on.

At search time, the Splunk Add-on for Blue Coat ProxySG automatically renames the source types for older data from bluecoat to bluecoat:proxysg:access:syslog to match the source type definitions of this new version.

Fixed Issues

Version 3.4.2 of the Splunk Add-on for Blue Coat ProxySG has the following fixed issue.

Date Issue number Description
2016-03-11 ADDON-8250 Performance issues in Splunk Enterprise Security related to tag expansions.

Known issues

Version 3.4.2 of the Splunk Add-on for Blue Coat ProxySG has the following known issue.

Date Issue number Description
2015-09-19 ADDON-5678 Field extraction fails if the http_user_agent is not enclosed in quotes. If an http_user_agent is not present in the logs, Blue Coat provides a dash (-) without quotes.

Third-party software attributions

Version 3.4.2 of the Splunk Add-on for Blue Coat ProxySG does not incorporate any third-party software or libraries.


Version 3.4.1

Version 3.4.1 of the Splunk Add-on for Blue Coat ProxySG is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.3, 6.2
CIM 4.2 and above
Platforms Platform independent
Vendor Products Blue Coat ProxySG 5.3.3 and 6.5.x

Known issues

Version 3.4.1 of the Splunk Add-on for Blue Coat ProxySG has the following known issue.

Date Issue number Description
2015-09-19 ADDON-5678 Field extraction fails if the http_user_agent is not enclosed in quotes. If an http_user_agent is not present in the logs, Blue Coat provides a dash (-) without quotes.

Third-party software attributions

Version 3.4.1 of the Splunk Add-on for Blue Coat ProxySG does not incorporate any third-party software or libraries.

Version 3.4.0

Version 3.4.0 of the Splunk Add-on for Blue Coat ProxySG was compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.3, 6.2
CIM 4.2
Platforms Platform independent
Vendor Products Blue Coat ProxySG

Migration Guide

The Splunk Add-on for Blue Coat ProxySG replaces TA-bluecoat, released only as a component of the Splunk App for Enterprise Security. If you have the Splunk App for Enterprise Security installed, disable the inputs for TA-bluecoat to allow this new add-on to take over. Back up any local configurations for TA-bluecoat before you install this new add-on.

At search time, the Splunk Add-on for Blue Coat ProxySG automatically renames the source types for older data from bluecoat to bluecoat:proxysg:access:syslog to match the source type definitions of this new version.

New features

Version 3.4.0 of the Splunk Add-on for Blue Coat ProxySG had the following new features.

Date Issue number Description
05/08/15 ADDON-1546 Newly Splunk-supported outside of the Splunk App for Enterprise Security and updated to include support for Blue Coat ProxySG version 6.

Known issues

Version 3.4.0 of the Splunk Add-on for Blue Coat ProxySG had the following known issue.

Date Issue number Description
08/20/15 ADDON-5043 When using syslog to collect Blue Coat log files, header lines are imported and parsed incorrectly.

Third-party software attributions

Version 3.4.0 of the Splunk Add-on for Blue Coat ProxySG does not incorporate any third-party software or libraries.

Last modified on 15 September, 2022
Release notes for the Splunk Add-on for Symantec Blue Coat ProxySG  

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters