Configure logging in your Blue Coat ProxySG appliance for the Splunk Add-on for Symantec Blue Coat ProxySG
Work with your Blue Coat ProxySG administrator to determine how best to present the ProxySG logs to your Splunk platform instance for ingestion. You have three options:
- You can collect syslog data using a key-value format. This is the recommended format for use with syslog as the default bluecoat format is missing important information. The configs for configuring key-value logs have been provided in this topic.
- You can send batches of log files using FTP and configure your Splunk platform instance to monitor those files.
- You can push the logs continuously to the Splunk platform using syslog and the
bcreportermain_v1
format. This format is only supported for Bluecoat ProxySG OS Versions 6.7.x and 7.3.x
If you have customized the fields or the order of the fields in your log, use the file monitoring input as a best practice.
Configure logging in your Blue Coat ProxySG appliance in the Key-Value format
Work with your Blue Coat ProxySG administrator to create a custom format for this type of data collection. Follow the steps below:
- Log in to the Blue Coat Management Console.
- Select Configuration > Access Logging > Formats.
- Select New.
- Type a format name for the custom format and paste the following configs:
<111>1 $(date)T$(x-bluecoat-hour-utc):$(x-bluecoat-minute-utc):$(x-bluecoat-second-utc)$(s-computername) bluecoat - splunk_format - c-ip=$(c-ip) rs-Content-Type=$(quot)$(rs(Content-Type))$(quot) cs-auth-groups=$(cs-auth-groups) cs-bytes=$(cs-bytes) cs-categories=$(cs-categories) cs-host=$(cs-host) cs-ip=$(cs-ip) cs-method=$(cs-method) cs-uri-port=$(cs-uri-port) cs-uri-scheme=$(cs-uri-scheme) cs-User-Agent=$(quot)$(cs(User-Agent))$(quot) cs-username=$(cs-username) dnslookup-time=$(dnslookup-time) duration=$(duration) rs-status=$(rs-status) rs-version=$(rs-version) s-action=$(s-action) s-ip=$(s-ip) service.name=$(service.name) service.group=$(service.group) s-supplier-ip=$(s-supplier-ip) s-supplier-name=$(s-supplier-name) sc-bytes=$(sc-bytes) sc-filter-result=$(sc-filter-result) sc-status=$(sc-status) time-taken=$(time-taken) x-exception-id=$(x-exception-id) x-virus-id=$(x-virus-id) c-url=$(quot)$(url)$(quot) cs-Referer=$(quot)$(cs(Referer))$(quot) c-cpu=$(c-cpu) connect-time=$(connect-time) cs-auth-groups=$(cs-auth-groups) cs-headerlength=$(cs-headerlength) cs-threat-risk=$(cs-threat-risk) r-ip=$(r-ip) r-supplier-ip=$(r-supplier-ip) rs-time-taken=$(rs-time-taken) rs-server=$(rs(server)) s-connect-type=$(s-connect-type) s-icap-status=$(s-icap-status) s-sitename=$(s-sitename) s-source-port=$(s-source-port) s-supplier-country=$(s-supplier-country) sc-Content-Encoding=$(sc(Content-Encoding)) sr-Accept-Encoding=$(sr(Accept-Encoding)) x-auth-credential-type=$(x-auth-credential-type) x-cookie-date=$(x-cookie-date) x-cs-certificate-subject=$(x-cs-certificate-subject) x-cs-connection-negotiated-cipher=$(x-cs-connection-negotiated-cipher) x-cs-connection-negotiated-cipher-size=$(x-cs-connection-negotiated-cipher-size) x-cs-connection-negotiated-ssl-version=$(x-cs-connection-negotiated-ssl-version) x-cs-ocsp-error=$(x-cs-ocsp-error) x-cs-Referer-uri=$(x-cs(Referer)-uri) x-cs-Referer-uri-address=$(x-cs(Referer)-uri-address) x-cs-Referer-uri-extension=$(x-cs(Referer)-uri-extension) x-cs-Referer-uri-host=$(x-cs(Referer)-uri-host) x-cs-Referer-uri-hostname=$(x-cs(Referer)-uri-hostname) x-cs-Referer-uri-path=$(x-cs(Referer)-uri-path) x-cs-Referer-uri-pathquery=$(x-cs(Referer)-uri-pathquery) x-cs-Referer-uri-port=$(x-cs(Referer)-uri-port) x-cs-Referer-uri-query=$(x-cs(Referer)-uri-query) x-cs-Referer-uri-scheme=$(x-cs(Referer)-uri-scheme) x-cs-Referer-uri-stem=$(x-cs(Referer)-uri-stem) x-exception-category=$(x-exception-category) x-exception-category-review-message=$(x-exception-category-review-message) x-exception-company-name=$(x-exception-company-name) x-exception-contact=$(x-exception-contact) x-exception-details=$(x-exception-details) x-exception-header=$(x-exception-header) x-exception-help=$(x-exception-help) x-exception-last-error=$(x-exception-last-error) x-exception-reason=$(x-exception-reason) x-exception-sourcefile=$(x-exception-sourcefile) x-exception-sourceline=$(x-exception-sourceline) x-exception-summary=$(x-exception-summary) x-icap-error-code=$(x-icap-error-code) x-rs-certificate-hostname=$(x-rs-certificate-hostname) x-rs-certificate-hostname-category=$(x-rs-certificate-hostname-category) x-rs-certificate-observed-errors=$(x-rs-certificate-observed-errors) x-rs-certificate-subject=$(x-rs-certificate-subject) x-rs-certificate-validate-status=$(x-rs-certificate-validate-status) x-rs-connection-negotiated-cipher=$(x-rs-connection-negotiated-cipher) x-rs-connection-negotiated-cipher-size=$(x-rs-connection-negotiated-cipher-size) x-rs-connection-negotiated-ssl-version=$(x-rs-connection-negotiated-ssl-version) x-rs-ocsp-error=$(x-rs-ocsp-error) cs-uri-extension=$(cs-uri-extension) cs-uri-path=$(cs-uri-path) cs-uri-query=$(quot)$(cs-uri-query)$(quot) c-uri-pathquery=$(c-uri-pathquery)
- Test the format: A test format result window will popup and which should specify "Format Syntax Correct"
- Select TCP or SSL transport option.
- Click OK
Configure the BlueCoat ProxySG to send the generated logs to splunk
Configure a custom client
- Select Configuration>Access Logging> Logs>Upload Client
- Select the log from the dropdown menu
- Select Blue Coat Reporter Client from the Client type dropdown menu and click on setting
- A settings window will pop up. From the "Settings for" drop-down list, select to configure the custom server you want to send the data.
- Fill in the host and port fields, as appropriate.
- Click Ok.
- Click Apply.
- For each log format you wish to use among main, Splunk Recommended, select the log, assign the Upload Client to be the custom client.
Configure a custom schedule
For best results, configure your schedule to send the logs continuously rather than periodically.
- Select Configuration > Access Logging > Logs > Upload Schedule .
- Set the log schedule to produce logs continuously or periodically.
- Set the connect attempts and keep-alive log packets or use the default values.
Configure General Settings in the Logs
- Select Configuration > Access Logging > Logs > General Settings.
- Select the log and log format you have created in Access Logging > Format
- Click Ok
- Click Apply.
Configure the Client Manager
- Select Configuration > Client > General > Client Manager.
- Provide the following information:
- Host: Enter the hostname or IP address of the upload destination.
- Port: Enter the port of the upload destination.
- Keyring: Select the keyring value from the drop down.
- Interval: Enter the interval of the log collection.
Configure Blue Coat ProxySG to send batches of logs to a file
To monitor your logs in batched files, work with your admin to create a Log Facility to send logs to a file where your Splunk platform instance can monitor them. Follow the Blue Coat ProxySG documentation that matches your device and version.
- Select "FTP client" as the upload client for the Log Facility.
- Provide the IP address of the FTP server on which you have installed the Splunk node that is responsible for data collection.
- Specify a path for the logs.
- Set the log schedule to produce logs periodically rather than continuously.
- Follow the instructions to Configure inputs for the Splunk Add-on for Symantec Blue Coat ProxySG.
Configure Blue Coat ProxySG to push logs via syslog
To push your logs continuously to the Splunk platform using syslog, work with your Blue Coat ProxySG administrator to create a Log Facility to perform a syslog push. Follow the Blue Coat ProxySG documentation that matches your device and version.
- Select "Custom client" as the upload client for the Log Facility.
- Provide the IP address of the Splunk node that is responsible for data collection.
- Enter the port of the TCP input in your Splunk platform instance that you want to listen for this data.
- Set the log schedule to produce logs continuously rather than periodically.
- Specify for the log files to be in text format rather than saved as gzip files.
- Follow the instructions to Configure inputs for the Splunk Add-on for Symantec Blue Coat ProxySG.
Install the Splunk Add-on for Symantec Blue Coat ProxySG | Configure inputs for the Splunk Add-on for Symantec Blue Coat ProxySG |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!