All Apps and Add-ons

Bluecoat/Symantec/Broadcom ASG logs not parsing timestamps

ilhwan
Path Finder

I'm using the Splunk Add-on for Symantec Blue Coat ProxySG add-on.  I'm receiving the logs (from ASG version 6.7.3.14) and seeing most of the data as expected.  The problem is that everything before "-splunk_format" is getting dropped.

If I look at the raw log using "show source" in splunk search, it looks like this:

- splunk_format - c-ip=172.16.186.28 cs-bytes=20058 cs-categories="News" cs-host=data.api.cnn.io cs-ip=172.30.50.202 cs-method=CONNECT cs-uri-port=443 cs-uri-scheme=tcp cs-User-Agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0" cs-username=iho dnslookup-time=0 duration=285 rs-status=0 s-action=TCP_TUNNELED s-ip=172.30.50.202 service.name="Explicit HTTP" service.group="Standard" s-supplier-ip=172.30.50.202 s-supplier-name=172.30.50.202 sc-bytes=680861 sc-filter-result=OBSERVED sc-status=200 time-taken=285209 c-url="tcp://data.api.cnn.io:443/" cs-headerlength=213 cs-threat-risk=unavailable r-ip=151.101.53.67 s-connect-type=Direct s-icap-status=ICAP_NOT_SCANNED s-sitename=http.proxy s-source-port=32401 s-supplier-country=Unavailable sr-Accept-Encoding=identity x-cookie-date=Sat,%2013-Feb-21%2016:41:27%20GMT x-cs-connection-negotiated-cipher=none x-exception-category-review-message="<br><br>Your request was categorized by Blue Coat Web Filter as 'News'. <br>If you wish to question or dispute this result, please click <a href=%22http://sitereview.bluecoat.com/sitereview.jsp?referrer=136&url=tcp://data.api.cnn.io:443/%22>here</a>." x-exception-sourceline=0 x-rs-connection-negotiated-cipher=none cs-uri-path=/ c-uri-pathquery=/

If I use tcpdump on the server running sc4s, I see this:

<111>1 2021-02-13T16:47:43 ShrSecGatPd01 bluecoat - splunk_format - c-ip=172.16.186.28 rs-Content-Type="-" cs-auth-groups=- cs-bytes=1418 cs-categories="Technology/Internet;Web Ads/Analytics" cs-host=mcdp-sadc1.outbrain.com cs-ip=172.30.50.202 cs-method=CONNECT cs-uri-port=443 cs-uri-scheme=tcp cs-User-Agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0" cs-username=iho dnslookup-time=0 duration=7 rs-status=0 rs-version=- s-action=TCP_TUNNELED s-ip=172.30.50.202 service.name="Explicit HTTP" service.group="Standard" s-supplier-ip=172.30.50.202 s-supplier-name=172.30.50.202 sc-bytes=1850 sc-filter-result=OBSERVED sc-status=200 time-taken=7161 x-exception-id=- x-virus-id=- c-url="tcp://mcdp-sadc1.outbrain.com:443/" cs-Referer="-" c-cpu=- connect-time=- cs-auth-groups=- cs-headerlength=229 cs-threat-risk=unavailable r-ip=66.225.223.159 r-supplier-ip=- rs-time-taken=- rs-server=- s-connect-type=Direct s-icap-status=ICAP_NOT_SCANNED s-sitename=http.proxy s-source-port=55231 s-supplier-country=Unavailable sc-Content-Encoding=- sr-Accept-Encoding=identity x-auth-credential-type=- x-cookie-date=Sat,%2013-Feb-21%2016:47:43%20GMT x-cs-certificate-subject=- x-cs-connection-negotiated-cipher=none x-cs-connection-negotiated-cipher-size=- x-cs-connection-negotiated-ssl-version=- x-cs-ocsp-error=- x-cs-Referer-uri=- x-cs-Referer-uri-address=- x-cs-Referer-uri-extension=- x-cs-Referer-uri-host=- x-cs-Referer-uri-hostname=- x-cs-Referer-uri-path=- x-cs-Referer-uri-pathquery=- x-cs-Referer-uri-port=- x-cs-Referer-uri-query=- x-cs-Referer-uri-scheme=- x-cs-Referer-uri-stem=- x-exception-category=- x-exception-category-review-message="<br><br>Your request was categorized by Blue Coat Web Filter as 'Technology/Internet;Web Ads/Analytics'. <br>If you wish to question or dispute this result, please click <a href=%22http://sitereview.bluecoat.com/sitereview.jsp?referrer=136&url=tcp://mcdp-sadc1.outbrain.com:443/%22>here</a>." x-exception-company-name=- x-exception-contact=- x-exception-details=- x-exception-header=- x-exception-help=- x-exception-last-error=- x-exception-reason="-" x-exception-sourcefile=- x-exception-sourceline=0 x-exception-summary=- x-icap-error-code=- x-rs-certificate-hostname=- x-rs-certificate-hostname-category=- x-rs-certificate-observed-errors=- x-rs-certificate-subject=- x-rs-certificate-validate-status=- x-rs-connection-negotiated-cipher=none x-rs-connection-negotiated-cipher-size=- x-rs-connection-negotiated-ssl-version=- x-rs-ocsp-error=- cs-uri-extension=- cs-uri-path=/ cs-uri-query="-" c-uri-pathquery=/

What do I need to edit to get it to parse out the timestamp and hostname?

Labels (2)
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...