The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.
Symantec ProxySG (Symantec Proxy Secure Gateway) is a next-generation web application firewall that delivers both comprehensive web security and WAN optimization. This technology pack will process ProxySG event log messages, providing normalization and enrichment of common events of interest.
Supported version(s)
- Up to version 9.x
Stream Configuration
This technology pack includes one stream:
- "Illuminate:Bluecoat Messages”
Index Set Configuration
This technology pack includes one index set definition:
- “Bluecoat Event Log Messages”
If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.
Log Format Example
1812 2018-02-10 18:00:12 "DP1-DE1_ProxySG" 888 x.x.x.x bob - - OBSERVED "Business/Economy" https://www.szlb.net/ 200 TCP_NC_MISS GET image/jpeg http www.szlb.net 80 /templets/default/images/wap/bg-gray1.jpg - jpg "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" x.x.x.x 4385 367 - - 0 "client" client_connector "-" "-" x.x.x.x - - - - - none - - - - none - - ICAP_NOT_SCANNED - ICAP_NOT_SCANNED - - - - 9eef3983b1d826f3-00000000c3a3468b-000000005a7f332b
Requirements
-
Configure the Symantec ProxySG appliance to transmit Syslog to your Graylog server Syslog input.
-
The Symantec ProxySG technology pack expects the fields in the following order, with the field
x-bluecoat-request-tenant-id
being optional:x-bluecoat-request-tenant-id
date
time
x-bluecoat-appliance-name
time-taken
c-ip
cs-userdn
cs-auth-groups
x-exception-id
sc-filter-result
cs-categories
cs(Referer)
sc-status
s-action
cs-method
rs(Content-Type)
cs-uri-scheme
cs-host
cs-uri-port
cs-uri-path
cs-uri-query
cs-uri-extension
cs(User-Agent)
s-ip
sc-bytes
cs-bytes
x-data-leak-detected
x-virus-id
x-bluecoat-location-id
x-bluecoat-location-name
x-bluecoat-access-type
x-bluecoat-application-name
x-bluecoat-application-operation
r-ip
x-rs-certificate-validate-status
x-rs-certificate-observed-errors
x-cs-ocsp-error
x-rs-ocsp-error
x-rs-connection-negotiated-ssl-version
x-rs-connection-negotiated-cipher
x-rs-connection-negotiated-cipher-size
x-rs-certificate-hostname
x-rs-certificate-hostname-categories
x-cs-connection-negotiated-ssl-version
x-cs-connection-negotiated-cipher
x-cs-connection-negotiated-cipher-size
x-cs-certificate-subject
cs-icap-status
cs-icap-error-details
rs-icap-status
rs-icap-error-details
x-cloud-rs
x-bluecoat-placeholder
cs(X-Requested-With)
x-bluecoat-transaction-uuid
What is Provided
- Parsing rules to extract Symantec ProxySG logs into Graylog schema compatible fields.