Graylog Illuminate is available for use with Graylog Operations and Graylog Security. Contact sales to learn more about obtaining Graylog Illuminate.

Symantec ProxySG (Symantec Proxy Secure Gateway) is a next-generation web application firewall that delivers both comprehensive web security and WAN optimization. This technology pack will process ProxySG event log messages, providing normalization and enrichment of common events of interest.

Supported version(s)

  • Up to version 9.x

Stream Configuration

This technology pack includes one stream:

  • "Illuminate:Bluecoat Messages”

Index Set Configuration

This technology pack includes one index set definition:

  • “Bluecoat Event Log Messages”

If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Format Example

1812 2018-02-10 18:00:12 "DP1-DE1_ProxySG" 888 x.x.x.x bob - - OBSERVED "Business/Economy" https://www.szlb.net/ 200 TCP_NC_MISS GET image/jpeg http www.szlb.net 80 /templets/default/images/wap/bg-gray1.jpg - jpg "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" x.x.x.x 4385 367 - - 0 "client" client_connector "-" "-" x.x.x.x - - - - - none - - - - none - - ICAP_NOT_SCANNED - ICAP_NOT_SCANNED - - - - 9eef3983b1d826f3-00000000c3a3468b-000000005a7f332b

Requirements

  • Configure the Symantec ProxySG appliance to transmit Syslog to your Graylog server Syslog input.

  • The Symantec ProxySG technology pack expects the fields in the following order, with the field x-bluecoat-request-tenant-id being optional:

    • x-bluecoat-request-tenant-id
    • date
    • time
    • x-bluecoat-appliance-name
    • time-taken
    • c-ip
    • cs-userdn
    • cs-auth-groups
    • x-exception-id
    • sc-filter-result
    • cs-categories
    • cs(Referer)
    • sc-status
    • s-action
    • cs-method
    • rs(Content-Type)
    • cs-uri-scheme
    • cs-host
    • cs-uri-port
    • cs-uri-path
    • cs-uri-query
    • cs-uri-extension
    • cs(User-Agent)
    • s-ip
    • sc-bytes
    • cs-bytes
    • x-data-leak-detected
    • x-virus-id
    • x-bluecoat-location-id
    • x-bluecoat-location-name
    • x-bluecoat-access-type
    • x-bluecoat-application-name
    • x-bluecoat-application-operation
    • r-ip
    • x-rs-certificate-validate-status
    • x-rs-certificate-observed-errors
    • x-cs-ocsp-error
    • x-rs-ocsp-error
    • x-rs-connection-negotiated-ssl-version
    • x-rs-connection-negotiated-cipher
    • x-rs-connection-negotiated-cipher-size
    • x-rs-certificate-hostname
    • x-rs-certificate-hostname-categories
    • x-cs-connection-negotiated-ssl-version
    • x-cs-connection-negotiated-cipher
    • x-cs-connection-negotiated-cipher-size
    • x-cs-certificate-subject
    • cs-icap-status
    • cs-icap-error-details
    • rs-icap-status
    • rs-icap-error-details
    • x-cloud-rs
    • x-bluecoat-placeholder
    • cs(X-Requested-With)
    • x-bluecoat-transaction-uuid

What is Provided

  • Parsing rules to extract Symantec ProxySG logs into Graylog schema compatible fields.