Symantec ProxySG (Symantec Proxy Secure Gateway) is a next-generation web application firewall that delivers both comprehensive web security and WAN optimization.
This technology pack will process ProxySG event log messages, providing normalization and enrichment of common events of interest.
Supported Versions
-
Symantec ProxySG up to version 9.x
Requirements
-
Graylog 6.2.0+ with a valid Graylog Enterprise or Graylog Security license
-
Configure the Symantec ProxySG appliance to transmit Syslog to your Graylog server Syslog input
-
Access log format must match the W3C Extended Log File Format order expected by this pack
Stream Configuration
This technology pack includes 1 stream:
- "Illuminate:Symantec Messages"
Index Set Configuration
This technology pack includes 1 index set definition:
- "Symantec Event Log Messages"
Log Collection and Delivery
This pack processes ProxySG access logs delivered via Syslog.
-
Syslog
Syslog Configuration
-
Create a matching Syslog input in Graylog.
-
Configure the Symantec ProxySG appliance to send access logs to your Graylog server's Syslog input.
-
Configure the access log to use the W3C Extended Log File Format with the field order listed in the W3C Field Order table below. The first field (x-bluecoat-request-tenant-id) and final field (source port) are optional.
Log Format Example
Example ProxySG access log in W3C Extended format.
ProxySG Access Log
1812 2018-02-10 18:00:12 "DP1-DE1_ProxySG" 888 x.x.x.x bob - - OBSERVED "Business/Economy" http://www.szlb.net/ 200 TCP_NC_MISS GET image/jpeg http www.szlb.net 80 /templets/default/images/wap/bg-gray1.jpg - jpg "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" x.x.x.x 4385 367 - - 0 "client" client_connector "-" "-" x.x.x.x - - - - - none - - - - none - - ICAP_NOT_SCANNED - ICAP_NOT_SCANNED - - - - 9eef3983b1d826f3-00000000c3a3468b-000000005a7f332b
What is Provided
-
Rules to parse, normalize, and enrich Symantec ProxySG log messages
-
Graylog Information Model (GIM) message categorization for HTTP proxied and network connection events
-
Support for OBSERVED, PROXIED, and DENIED ProxySG access log categories
Events Processed by This Technology Pack
The content pack supports the following log types:
-
OBSERVED access logs (TCP and UDP)
-
PROXIED access logs (TCP and UDP)
-
DENIED access logs (TCP and UDP)
GIM Categorization
ProxySG events are assigned dual GIM event type codes based on whether a source port is present in the log message.
| Event Action | GIM Category | GIM Subcategory | GIM Event Type |
|---|---|---|---|
| All ProxySG vendor_event_action values (with source port) | http | http.proxied | http proxied communication |
| All ProxySG vendor_event_action values (with source port) | network | network.network connection | network connection |
| All ProxySG vendor_event_action values (no source port) | http | http.proxied | http proxied communication |
| All ProxySG vendor_event_action values (no source port) | network | network.default | network message |
Message Fields Included in This Pack
Parsed Fields
The following fields are extracted and normalized from ProxySG access logs.
Parsed Fields ▼
| Field Name | Example Value | Description |
|---|---|---|
| alert_response_level | 0 | Alert response level mapped from event_action |
| application_name | Baidu Search | Detected application name (x-bluecoat-application-name) |
| certificate_hostname | example.com | TLS certificate hostname |
| certificate_hostname_categories | Search Engines/Portals | URL categories of the certificate hostname |
| certificate_observed_errors | unknown_ca | Observed certificate validation errors |
| certificate_subject | CN=example.com | Certificate subject distinguished name |
| certificate_validation_status | valid | Certificate validation status from the server |
| destination_bytes_sent | 95189 | Bytes sent to the client (sc-bytes) |
| destination_icap_error_details | - | Destination ICAP scan error details |
| destination_icap_status | ICAP_NOT_SCANNED | Destination ICAP scan status |
| destination_ip | 182.61.62.50 | Destination server IP address (r-ip) |
| destination_negotiated_cipher | none | Destination SSL/TLS negotiated cipher |
| destination_negotiated_cipher_size | 256 | Destination SSL/TLS cipher key size in bits |
| destination_negotiated_ssl_version | TLSv1.2 | Destination SSL/TLS protocol version |
| destination_ocsp_errors | - | Server-side OCSP validation errors |
| destination_port | 80 | Destination server port (cs-uri-port) |
| destination_reference | 182.61.62.50 | Destination reference derived from destination_ip |
| event_action | allowed | Normalized event action (allowed/blocked/failed/unknown) |
| event_created | 2018-02-10 18:00:11 | Event timestamp from date/time fields |
| event_duration | 16310 | Request duration in milliseconds (time-taken) |
| event_observer_ip | 192.168.1.2 | Proxy appliance IP address (s-ip) |
| event_source | DP1-DE1_ProxySG | Proxy appliance name (x-bluecoat-appliance-name) |
| event_source_product | symantec_proxysg | Constant identifier for this log source |
| gim_event_type_code | 180300,120000 | GIM event type codes assigned to the event |
| host_type | client_connector | Bluecoat access type (x-bluecoat-access-type) |
| http_category | Search Engines/Portals | URL category classification (cs-categories) |
| http_content_type | application/x-javascript | Response content type (rs(Content-Type)) |
| http_header_x_requested_with | XMLHttpRequest | cs(X-Requested-With) HTTP header value |
| http_host | libs.baidu.com | Request host header (cs-host) |
| http_referrer | http://www.szlb.net/ | HTTP referrer URL (cs(Referer)) |
| http_request_method | GET | HTTP request method (cs-method) |
| http_request_path | /jquery/1.7.2/jquery.min.js | Request URI path (cs-uri-path) |
| http_response | OK | HTTP response status text |
| http_response_class | successful response | HTTP response class category |
| http_response_code | 200 | HTTP response status code (sc-status) |
| http_uri_extension | js | URI file extension (cs-uri-extension) |
| http_uri_query | ?foo=bar | URI query string (cs-uri-query) |
| http_user_agent | Mozilla/5.0 ... | HTTP User-Agent header (cs(User-Agent)) |
| network_transport | tcp | Network transport protocol derived from vendor_event_action |
| source_bytes_sent | 410 | Bytes sent from the client (cs-bytes) |
| source_icap_error_details | - | Source ICAP scan error details |
| source_icap_status | ICAP_NOT_SCANNED | Source ICAP scan status |
| source_ip | fe80::fc54:ff:fe2c:5f1a | Client source IP address (c-ip) |
| source_negotiated_ssl_version | TLSv1.2 | Client SSL/TLS protocol version |
| source_ocsp_errors | - | Client-side OCSP validation errors |
| source_port | 55443 | Client source port |
| source_reference | fe80::fc54:ff:fe2c:5f1a | Source reference derived from source_ip |
| user_name | adam | Authenticated user name (cs-userdn) |
| user_type | domain | User type classification |
| vendor_application_operation | - | Application operation (x-bluecoat-application-operation) |
| vendor_cloud_rating | - | Bluecoat cloud rating for the request |
| vendor_data_leak_detected | - | Whether data leak was detected (x-data-leak-detected) |
| vendor_event_action | TCP_NC_MISS | Vendor-specific proxy action (s-action) |
| vendor_event_category | OBSERVED | Vendor event category (sc-filter-result) |
| vendor_exception_id | - | Exception ID (x-exception-id) |
| vendor_location_id | 0 | Bluecoat location ID (x-bluecoat-location-id) |
| vendor_location_name | client | Bluecoat location name (x-bluecoat-location-name) |
| vendor_tenant_id | 1812 | Bluecoat tenant ID (x-bluecoat-request-tenant-id) |
| vendor_transaction_id | 9eef3983b1d826f3-... | Unique transaction identifier (x-bluecoat-transaction-uuid) |
| vendor_uri_scheme | http | URI scheme (cs-uri-scheme) |
| vendor_virus_id | - | Virus identifier if detected (x-virus-id) |
W3C Field Order
ProxySG must be configured to emit access logs in the W3C Extended Log File Format using the field order below.
W3C Field Order ▼
| Position | Field Name | Notes |
|---|---|---|
| 1 | x-bluecoat-request-tenant-id | Optional. When present, must be the first field. |
| 2 | date | |
| 3 | time | |
| 4 | x-bluecoat-appliance-name | |
| 5 | time-taken | |
| 6 | c-ip | |
| 7 | cs-userdn | |
| 8 | cs-auth-groups | |
| 9 | x-exception-id | |
| 10 | sc-filter-result | |
| 11 | cs-categories | |
| 12 | cs(Referer) | |
| 13 | sc-status | |
| 14 | s-action | |
| 15 | cs-method | |
| 16 | rs(Content-Type) | |
| 17 | cs-uri-scheme | |
| 18 | cs-host | |
| 19 | cs-uri-port | |
| 20 | cs-uri-path | |
| 21 | cs-uri-query | |
| 22 | cs-uri-extension | |
| 23 | cs(User-Agent) | |
| 24 | s-ip | |
| 25 | sc-bytes | |
| 26 | cs-bytes | |
| 27 | x-data-leak-detected | |
| 28 | x-virus-id | |
| 29 | x-bluecoat-location-id | |
| 30 | x-bluecoat-location-name | |
| 31 | x-bluecoat-access-type | |
| 32 | x-bluecoat-application-name | |
| 33 | x-bluecoat-application-operation | |
| 34 | r-ip | |
| 35 | x-rs-certificate-validate-status | |
| 36 | x-rs-certificate-observed-errors | |
| 37 | x-cs-ocsp-error | |
| 38 | x-rs-ocsp-error | |
| 39 | x-rs-connection-negotiated-ssl-version | |
| 40 | x-rs-connection-negotiated-cipher | |
| 41 | x-rs-connection-negotiated-cipher-size | |
| 42 | x-rs-certificate-hostname | |
| 43 | x-rs-certificate-hostname-categories | |
| 44 | x-cs-connection-negotiated-ssl-version | |
| 45 | x-cs-connection-negotiated-cipher | |
| 46 | x-cs-connection-negotiated-cipher-size | |
| 47 | x-cs-certificate-subject | |
| 48 | cs-icap-status | |
| 49 | cs-icap-error-details | |
| 50 | rs-icap-status | |
| 51 | rs-icap-error-details | |
| 52 | x-cloud-rs | |
| 53 | x-bluecoat-placeholder | |
| 54 | cs(X-Requested-With) | |
| 55 | x-bluecoat-transaction-uuid | |
| 56 | source port | Optional. When present, must be the final field. |
