2017-06-30 04:55 AM
Hi All,
We are trying to integrate Blue coat proxy using Blue Coat ProxySG SGOS Event Source Configuration Guide with syslog collection.
Unfortunately, we are receiving logs in below format:(Not parsed correctly as : symbol missing just after %CACHEFLOWELFF_syslog word)
%CACHEFLOWELFF_syslogdate="2017-06-30",time="08:15:55",time-taken="19",c-ip="1.6.2.3",s-action="TCP_DENIED",s-ip="11.6.2.3",s-supplier-name="-",s-sitename="SG-HTTP-Service",cs-user="-",cs-username="-",cs-auth-group="-",cs-categories="Technology/Internet",cs-method="CONNECT",cs-host="accounts.google.com",cs-uri="tcp://accounts.google.com:443/",cs-uri-scheme="tcp",cs-uri-port="443",cs-uri-path="/",cs-uri-query="-",cs-uri-extension="-",cs(Referer)="-",cs(User-Agent)="Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko",cs-bytes="314",sc-status="407",sc-bytes="222",sc-filter-result="DENIED",sc-filter-category="Technology/Internet",x-virus-id="-",x-exception-id="authentication_failed",rs(Content-Type)="-",duration="0",s-supplier-ip="-",cs(Cookie)="-",s-computername="xxx",s-port="6754",cs-uri-stem="tcp://accounts.google.com:443/",cs-version="HTTP/1.0"
The issue is Blue coat device custom log format does not accept : symbol as below Log format tab.
<133>%%CACHEFLOWELFF_syslog:date=\"$(date)\",time=\"$(time)\",time-taken=\"$(time-taken)\",c-ip=\"$(c-ip)\",s-action=\"$(s-action)\",s-ip=\"$(s-ip)\",s-supplier-name=\"$(s-supplier-name)\",s-sitename=\"$(s-sitename)\",cs-user=\"$(cs-user)\",cs-username=\"$(cs-username)\",cs-auth-group=\"$(cs-auth-group)\",cs-categories=$(cs-categories),cs-method=\"$(cs-method)\",cs-host=\"$(cs-host)\",cs-uri=\"$(cs-uri)\",cs-uri-scheme=\"$(cs-uri-scheme)\",cs-uri-port=\"$(cs-uri-port)\",cs-uri-path=\"$(cs-uri-path)\",cs-uri-query=\"$(cs-uri-query)\",cs-uri-extension=\"$(cs-uri-extension)\",cs(Referer)=\"$(cs(Referer))\",cs(User-Agent)=\"$(cs(User-Agent))\",cs-bytes=\"$(cs-bytes)\",sc-status=\"$(sc-status)\",sc-bytes=\"$(sc-bytes)\",sc-filter-result=\"$(sc-filter-result)\",sc-filter-category=\"$(sc-filter-category)\",x-virus-id=\"$(x-virus-id)\",x-exception-id=\"$(x-exception-id)\",rs(Content-Type)=\"$(rs(Content-Type))\",duration=\"$(duration)\",s-supplier-ip=\"$(s-supplier-ip)\",cs(Cookie)=\"$(cs(Cookie))\",s-computername=\"$(s-computername)\",s-port=\"$(s-port)\",cs-uri-stem=\"$(cs-uri-stem)\",cs-version=\"$(cs-version)\"
Blue coat device version is 6.2.13.1. Does anyone come across this issue? Please suggest if any workaround on this.
2017-06-30 05:07 AM
Just got this worked by giving custom log format using Blue coat command prompt.
https://hypersonic.bluecoat.com/sites/default/files/tech_pubs/65CLIRef.pdf page 107
Thanks all.
2017-06-30 05:07 AM
Just got this worked by giving custom log format using Blue coat command prompt.
https://hypersonic.bluecoat.com/sites/default/files/tech_pubs/65CLIRef.pdf page 107
Thanks all.