Splunk® Supported Add-ons

Splunk Add-on for Symantec Blue Coat ProxySG and ASG

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Configure logging in your Blue Coat ProxySG appliance for the Splunk Add-on for Symantec Blue Coat ProxySG

Work with your Blue Coat ProxySG administrator to determine how best to present the ProxySG logs to your Splunk platform instance for ingestion. You have three options:

  1. You can collect syslog data using a key-value format. This is the recommended format for use with syslog as the default bluecoat format is missing important information. The configs for configuring key-value logs have been provided in this topic.
  1. You can send batches of log files using FTP and configure your Splunk platform instance to monitor those files.
  2. You can push the logs continuously to the Splunk platform using syslog and the bcreportermain_v1 format. This format is only supported for Bluecoat ProxySG OS Versions 5.3.3, 6.5.x, 6.6.3.2, and 6.6.4.2.


If you have customized either the fields or the order of the fields in your log, use the file monitoring input as a best practice.

Configure logging in your Blue Coat ProxySG appliance in the Key-Value format

Work with your Blue Coat ProxySG administrator to create a custom format for this type of data collection. Follow the steps below:

  1. Log in to the Blue Coat Management Console.
  2. Select Configuration > Access Logging > Formats.
  3. Select New.
  4. Type a format name for the custom format and paste the following configs:
    <111>1 $(date)T$(x-bluecoat-hour-utc):$(x-bluecoat-minute-utc):$(x-bluecoat-second-utc).000z $(s-computername) bluecoat - splunk_format - c-ip=$(c-ip) rs-Content-Type=$(quot)$(rs(Content-Type))$(quot)  cs-auth-groups=$(cs-auth-groups) cs-bytes=$(cs-bytes) cs-categories=$(cs-categories) cs-host=$(cs-host) cs-ip=$(cs-ip) cs-method=$(cs-method) cs-uri-port=$(cs-uri-port) cs-uri-scheme=$(cs-uri-scheme) cs-User-Agent=$(quot)$(cs(User-Agent))$(quot) cs-username=$(cs-username) dnslookup-time=$(dnslookup-time) duration=$(duration) rs-status=$(rs-status) rs-version=$(rs-version) s-action=$(s-action) s-ip=$(s-ip) service.name=$(service.name) service.group=$(service.group) s-supplier-ip=$(s-supplier-ip) s-supplier-name=$(s-supplier-name) sc-bytes=$(sc-bytes) sc-filter-result=$(sc-filter-result) sc-status=$(sc-status) time-taken=$(time-taken) x-exception-id=$(x-exception-id) x-virus-id=$(x-virus-id) c-url=$(quot)$(url)$(quot) cs-Referer=$(quot)$(cs(Referer))$(quot) c-cpu=$(c-cpu) connect-time=$(connect-time) cs-auth-groups=$(cs-auth-groups) cs-headerlength=$(cs-headerlength) cs-threat-risk=$(cs-threat-risk) r-ip=$(r-ip) r-supplier-ip=$(r-supplier-ip) rs-time-taken=$(rs-time-taken) rs-server=$(rs(server)) s-connect-type=$(s-connect-type) s-icap-status=$(s-icap-status) s-sitename=$(s-sitename) s-source-port=$(s-source-port) s-supplier-country=$(s-supplier-country) sc-Content-Encoding=$(sc(Content-Encoding)) sr-Accept-Encoding=$(sr(Accept-Encoding)) x-auth-credential-type=$(x-auth-credential-type) x-cookie-date=$(x-cookie-date) x-cs-certificate-subject=$(x-cs-certificate-subject) x-cs-connection-negotiated-cipher=$(x-cs-connection-negotiated-cipher) x-cs-connection-negotiated-cipher-size=$(x-cs-connection-negotiated-cipher-size) x-cs-connection-negotiated-ssl-version=$(x-cs-connection-negotiated-ssl-version) x-cs-ocsp-error=$(x-cs-ocsp-error) x-cs-Referer-uri=$(x-cs(Referer)-uri) x-cs-Referer-uri-address=$(x-cs(Referer)-uri-address) x-cs-Referer-uri-extension=$(x-cs(Referer)-uri-extension) x-cs-Referer-uri-host=$(x-cs(Referer)-uri-host) x-cs-Referer-uri-hostname=$(x-cs(Referer)-uri-hostname) x-cs-Referer-uri-path=$(x-cs(Referer)-uri-path) x-cs-Referer-uri-pathquery=$(x-cs(Referer)-uri-pathquery) x-cs-Referer-uri-port=$(x-cs(Referer)-uri-port) x-cs-Referer-uri-query=$(x-cs(Referer)-uri-query) x-cs-Referer-uri-scheme=$(x-cs(Referer)-uri-scheme) x-cs-Referer-uri-stem=$(x-cs(Referer)-uri-stem) x-exception-category=$(x-exception-category) x-exception-category-review-message=$(x-exception-category-review-message) x-exception-company-name=$(x-exception-company-name) x-exception-contact=$(x-exception-contact) x-exception-details=$(x-exception-details) x-exception-header=$(x-exception-header) x-exception-help=$(x-exception-help) x-exception-last-error=$(x-exception-last-error) x-exception-reason=$(x-exception-reason) x-exception-sourcefile=$(x-exception-sourcefile) x-exception-sourceline=$(x-exception-sourceline) x-exception-summary=$(x-exception-summary) x-icap-error-code=$(x-icap-error-code) x-rs-certificate-hostname=$(x-rs-certificate-hostname) x-rs-certificate-hostname-category=$(x-rs-certificate-hostname-category) x-rs-certificate-observed-errors=$(x-rs-certificate-observed-errors) x-rs-certificate-subject=$(x-rs-certificate-subject) x-rs-certificate-validate-status=$(x-rs-certificate-validate-status) x-rs-connection-negotiated-cipher=$(x-rs-connection-negotiated-cipher) x-rs-connection-negotiated-cipher-size=$(x-rs-connection-negotiated-cipher-size) x-rs-connection-negotiated-ssl-version=$(x-rs-connection-negotiated-ssl-version) x-rs-ocsp-error=$(x-rs-ocsp-error) cs-uri-extension=$(cs-uri-extension) cs-uri-path=$(cs-uri-path) cs-uri-query=$(quot)$(cs-uri-query)$(quot) c-uri-pathquery=$(c-uri-pathquery)
    
  5. Select TCP or SSL transport option.
  6. Save your format.
  7. Click OK
  8. Specify the IP address for the client that is receiving the logs.
  9. Click Apply.

Configure Blue Coat ProxySG to send batches of logs to a file

If you want to monitor your logs in batched files, work with your admin to create a Log Facility to send logs to a file where your Splunk platform instance can monitor them. Follow the Blue Coat ProxySG documentation that matches your device and version.

Complete the following actions:

  • Select FTP client as the upload client for the Log Facility.
  • Provide the IP address of the FTP server on which you have installed the Splunk node that is responsible for data collection.
  • Specify a path for the logs.
  • Set the log schedule to produce logs periodically rather than continuously.

Next, follow the instructions to Configure inputs for the Splunk Add-on for Symantec Blue Coat ProxySG.

Configure Blue Coat ProxySG to push logs via syslog

If you want to push your logs continuously to the Splunk platform using syslog, work with your Blue Coat ProxySG administrator to create a Log Facility to perform a syslog push. Follow the Blue Coat ProxySG documentation that matches your device and version.

Complete the following actions:

  • Select Custom client as the upload client for the Log Facility.
  • Provide the IP address of the Splunk node that is responsible for data collection.
  • Enter the port of the TCP input in your Splunk platform instance that you want to listen for this data.
  • Set the log schedule to produce logs continuously rather than periodically.
  • Specify for the log files to be in text format rather than saved as gzip files.

Next, follow the instructions to Configure inputs for the Splunk Add-on for Symantec Blue Coat ProxySG.

Last modified on 11 March, 2021
PREVIOUS
Install the Splunk Add-on for Symantec Blue Coat ProxySG
  NEXT
Configure inputs for the Splunk Add-on for Symantec Blue Coat ProxySG

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters