- Community
- :
- Splunk Answers
- :
- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Bluecoat/Symantec/Broadcom ASG logs not parsing ti...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Bluecoat/Symantec/Broadcom ASG logs not parsing timestamps
I'm using the Splunk Add-on for Symantec Blue Coat ProxySG add-on. I'm receiving the logs (from ASG version 6.7.3.14) and seeing most of the data as expected. The problem is that everything before "-splunk_format" is getting dropped.
If I look at the raw log using "show source" in splunk search, it looks like this:
- splunk_format - c-ip=172.16.186.28 cs-bytes=20058 cs-categories="News" cs-host=data.api.cnn.io cs-ip=172.30.50.202 cs-method=CONNECT cs-uri-port=443 cs-uri-scheme=tcp cs-User-Agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0" cs-username=iho dnslookup-time=0 duration=285 rs-status=0 s-action=TCP_TUNNELED s-ip=172.30.50.202 service.name="Explicit HTTP" service.group="Standard" s-supplier-ip=172.30.50.202 s-supplier-name=172.30.50.202 sc-bytes=680861 sc-filter-result=OBSERVED sc-status=200 time-taken=285209 c-url="tcp://data.api.cnn.io:443/" cs-headerlength=213 cs-threat-risk=unavailable r-ip=151.101.53.67 s-connect-type=Direct s-icap-status=ICAP_NOT_SCANNED s-sitename=http.proxy s-source-port=32401 s-supplier-country=Unavailable sr-Accept-Encoding=identity x-cookie-date=Sat,%2013-Feb-21%2016:41:27%20GMT x-cs-connection-negotiated-cipher=none x-exception-category-review-message="<br><br>Your request was categorized by Blue Coat Web Filter as 'News'. <br>If you wish to question or dispute this result, please click <a href=%22http://sitereview.bluecoat.com/sitereview.jsp?referrer=136&url=tcp://data.api.cnn.io:443/%22>here</a>." x-exception-sourceline=0 x-rs-connection-negotiated-cipher=none cs-uri-path=/ c-uri-pathquery=/
If I use tcpdump on the server running sc4s, I see this:
<111>1 2021-02-13T16:47:43 ShrSecGatPd01 bluecoat - splunk_format - c-ip=172.16.186.28 rs-Content-Type="-" cs-auth-groups=- cs-bytes=1418 cs-categories="Technology/Internet;Web Ads/Analytics" cs-host=mcdp-sadc1.outbrain.com cs-ip=172.30.50.202 cs-method=CONNECT cs-uri-port=443 cs-uri-scheme=tcp cs-User-Agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0" cs-username=iho dnslookup-time=0 duration=7 rs-status=0 rs-version=- s-action=TCP_TUNNELED s-ip=172.30.50.202 service.name="Explicit HTTP" service.group="Standard" s-supplier-ip=172.30.50.202 s-supplier-name=172.30.50.202 sc-bytes=1850 sc-filter-result=OBSERVED sc-status=200 time-taken=7161 x-exception-id=- x-virus-id=- c-url="tcp://mcdp-sadc1.outbrain.com:443/" cs-Referer="-" c-cpu=- connect-time=- cs-auth-groups=- cs-headerlength=229 cs-threat-risk=unavailable r-ip=66.225.223.159 r-supplier-ip=- rs-time-taken=- rs-server=- s-connect-type=Direct s-icap-status=ICAP_NOT_SCANNED s-sitename=http.proxy s-source-port=55231 s-supplier-country=Unavailable sc-Content-Encoding=- sr-Accept-Encoding=identity x-auth-credential-type=- x-cookie-date=Sat,%2013-Feb-21%2016:47:43%20GMT x-cs-certificate-subject=- x-cs-connection-negotiated-cipher=none x-cs-connection-negotiated-cipher-size=- x-cs-connection-negotiated-ssl-version=- x-cs-ocsp-error=- x-cs-Referer-uri=- x-cs-Referer-uri-address=- x-cs-Referer-uri-extension=- x-cs-Referer-uri-host=- x-cs-Referer-uri-hostname=- x-cs-Referer-uri-path=- x-cs-Referer-uri-pathquery=- x-cs-Referer-uri-port=- x-cs-Referer-uri-query=- x-cs-Referer-uri-scheme=- x-cs-Referer-uri-stem=- x-exception-category=- x-exception-category-review-message="<br><br>Your request was categorized by Blue Coat Web Filter as 'Technology/Internet;Web Ads/Analytics'. <br>If you wish to question or dispute this result, please click <a href=%22http://sitereview.bluecoat.com/sitereview.jsp?referrer=136&url=tcp://mcdp-sadc1.outbrain.com:443/%22>here</a>." x-exception-company-name=- x-exception-contact=- x-exception-details=- x-exception-header=- x-exception-help=- x-exception-last-error=- x-exception-reason="-" x-exception-sourcefile=- x-exception-sourceline=0 x-exception-summary=- x-icap-error-code=- x-rs-certificate-hostname=- x-rs-certificate-hostname-category=- x-rs-certificate-observed-errors=- x-rs-certificate-subject=- x-rs-certificate-validate-status=- x-rs-connection-negotiated-cipher=none x-rs-connection-negotiated-cipher-size=- x-rs-connection-negotiated-ssl-version=- x-rs-ocsp-error=- cs-uri-extension=- cs-uri-path=/ cs-uri-query="-" c-uri-pathquery=/
What do I need to edit to get it to parse out the timestamp and hostname?
User Groups | Upcoming Events!
Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More
Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)
