All Apps and Add-ons

Splunk Add-on for Blue Coat ProxySG: Has anyone gotten the transforms to work properly for Bluecoat 6.6.3.2 log formatting?

Heff
Splunk Employee
Splunk Employee

Has anyone got the transforms for Bluecoat 6.6 working properly?

The Splunk Add-on for Blue Coat ProxySG is looking for 6.5.x, but it seems that the logging has changed in 6.6.

[auto_kv_for_bluecoat_v6_5_x]
REGEX = (?:"([^"]+)"|(\S+))\s+(?:"(\d{1,2}:\d{1,2}:\d{1,2})"|(\d{1,2}:\d{1,2}:\d{1,2}))\s+(?:"(\d+)"|(\d+))\s+(?:"(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"|(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s*$

FORMAT = date::$1 date::$2 time::$3 time::$4 time_taken::$5 time_taken::$6 c_ip::$7 c_ip::$8 cs_username::$9 cs_username::$10 cs_auth_group::$11 cs_auth_group::$12 x_exception_id::$13 x_exception_id::$14 sc_filter_result::$15 sc_filter_result::$16 cs_categories::$17 cs_categories::$18 cs_Referer::$19 cs_Referer::$20 sc_status::$21 sc_status::$22 s_action::$23 s_action::$24 cs_method::$25 cs_method::$26 rs_Content_Type::$27 rs_Content_Type::$28 cs_uri_scheme::$29 cs_uri_scheme::$30 cs_host::$31 cs_host::$32 cs_uri_port::$33 cs_uri_port::$34 cs_uri_path::$35 cs_uri_path::$36 cs_uri_query::$37 cs_uri_query::$38 cs_uri_extension::$39 cs_uri_extension::$40 cs_User_Agent::$41 cs_User_Agent::$42 s_ip::$43 s_ip::$44 sc_bytes::$45 sc_bytes::$46 cs_bytes::$47 cs_bytes::$48 x_virus_id::$49 x_virus_id::$50 x_bluecoat_application_name::$51 x_bluecoat_application_name::$52 x_bluecoat_application_operation::$53 x_bluecoat_application_operation::$54 

Blue Coat 6.6 DATA:

May 16 19:42:32 bh0prxy99 #Software: SGOS 6.6.3.2
May 16 19:42:32 bh0prxy99 #Version: 1.0
May 16 19:42:32 bh0prxy99 #Start-Date: 2016-05-16 23:08:21
May 16 19:42:32 bh0prxy99 #Date: 2016-04-29 20:08:05
May 16 19:42:32 bh0prxy99 #Fields: date time time-taken c-ip cs-username cs-auth-group s-supplier-name s-supplier-ip s-supplier-country s-supplier-failures x-exception-id sc-filter-result cs-categories cs(Referer) sc-status s-action cs-method rs(Content-Type) cs-uri-scheme cs-host cs-uri-port cs-uri-path cs-uri-query cs-uri-extension cs(User-Agent) s-ip sc-bytes cs-bytes x-virus-id x-bluecoat-application-name x-bluecoat-application-operation cs-threat-risk
May 16 19:42:32 bh0prxy99 #Remark: 2815320295 "bh0prxy99 - Blue Coat ASG-S400 Series" "xx.xx.x.xx" "main"
May 31 16:42:15 bh0prxy99 2016-05-31 20:41:56 31 xx.xx.xxx.xx nfl dom\S_Sysadmin na31.site.com xxx.xxx.xxx.xxx None - - OBSERVED "Business/Economy" -  302 TCP_NC_MISS GET - http na31.site.com 80 /servlet/servlet.ImageServer ?oid=00D37000000KAUl&esid=01837000001JkIC ImageServer "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET CLR 1.1.4322; .NET4.0E; Microsoft Outlook 14.0.7169; ms-office; MSOffice 14)" xxx.xxx.x.xx 203 629 - "none" "none" unavailable
May 31 16:42:15 bh0prxy99 2016-05-31 20:41:56 33 xx.xx.xxx.xx nfl dom\S_Sysadmin na31.site.com xxx.xxx.xxx.xxx None - - OBSERVED "Business/Economy" -  302 TCP_NC_MISS GET - http na31.site.com 80 /servlet/servlet.ImageServer ?oid=00D37000000KAUl&esid=01837000001Jd7X ImageServer "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET CLR 1.1.4322; .NET4.0E; Microsoft Outlook 14.0.7169; ms-office; MSOffice 14)" xxx.xxx.x.xx 203 629 - "none" "none" unavailable

ksavitsky
New Member

Has anyone been able to get the above suggestions to work with proxySG 6.6.5.9? Most of the fields extract correctly but I have a few anomalies where the cs_host shows up in cs_uri_scheme and for that record fields are all off. In most cases the cs_host ends up being 443 when this happens.

0 Karma

xavierashe
Contributor

In addition to the suggestions already made, I also added these two lines to my props.conf. The first line gives you a multivalue field for the categories. The second is a tweak to improve the logic on deciding if something is blocked. I had events where the vendor action was TCP_TUNNELED and the sc_filter_result was DENIED. The current lookup was mapping these events as action=allowed, which was throwing off my reporting.

EVAL-category = split(cs_categories, ";")
EVAL-vendor_action = if(sc_filter_result=="DENIED","DENIED",vendor_action)

ddance_splunk
Splunk Employee
Splunk Employee

Hi

I have written these additions for the props and transforms, i have added them to Splunk_TA_bluecoat-proxysg/local/props.conf and Splunk_TA_bluecoat-proxysg/local/transforms.conf

props.conf

[bluecoat:proxysg:access:syslog]
REPORT-auto_kv_for_bluecoat_v6 = auto_kv_for_bluecoat_v6_5_x,auto_kv_for_bluecoat_v6_6_x

transforms.conf

[auto_kv_for_bluecoat_v6_6_x]
REGEX = (?:"([^"]+)"|(\S+))\s+(?:"(\d{1,2}:\d{1,2}:\d{1,2})"|(\d{1,2}:\d{1,2}:\d{1,2}))\s+(?:"(\d+)"|(\d+))\s+(?:"(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"|(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))
FORMAT = date::$1 date::$2 time::$3 time::$4 time_taken::$5 time_taken::$6 c_ip::$7 c_ip::$8 cs_username::$9 cs_username::$10 cs_auth_group::$11 cs_auth_group::$12 s-supplier-name::$13 s-supplier-name::$14 s-supplier-ip::$15 s-supplier-ip::$16 s-supplier-country::$17 s-supplier-country::$18 s-supplier-failures::$19 s-supplier-failures::$20 x-exception-id::$21 x-exception-id::$22 sc-filter-result::$23 sc-filter-result::$24 cs-categories::$25 cs-categories::$26 cs_Referer::$27 cs_Referer::$28 sc_status::$29 sc_status::$30 s-action::$31 s-action::$32 cs-method::$33 cs-method::$34 rs_Content_Type::$35 rs_Content_Type::$36 cs_uri_scheme::$37 cs_uri_scheme::$38 cs_host::$39 cs_host::$40 cs_uri_port::$41 cs_uri_port::$42 cs_uri_path::$43 cs_uri_path::$44 cs_uri_query::$45 cs_uri_query::$46 cs_uri_extension::$47 cs_uri_extension::$48 cs_User_Agent::$49 cs_User_Agent::$50 s_ip::$51 s_ip::$52 sc_bytes::$53 sc_bytes::$54 cs_bytes::$55 cs_bytes::$56 x_virus_id::$57 x_virus_id::$58 x_bluecoat_application_name::$59 x_bluecoat_application_name::$60 x_bluecoat_application_operation::$61 x_bluecoat_application_operation::$62 cs_threat_risk::$63 cs_threat_risk::$64

These seem to work fine from my testing, however in my testing I noticed that the odd event(less than 0.00001%) in my dataset had exceeded the default TRUNCATE limit of 10000 bytes, so i also increased my TRUNCATE value to 20000 for the [bluecoat:proxysg:access:syslog] stanza in props.conf

I hope this helps anyone else that is having challenges with the additional fields being sent by bluecoat 6.6.x devices.

Thanks
Darren

Heff
Splunk Employee
Splunk Employee

PROPS:

[source::....bluecoat]
sourcetype = bluecoat:proxysg:access:file

[bluecoat]
rename=bluecoat:proxysg:access:syslog

[bluecoat:proxysg:access:syslog]
pulldown_type = true
category = Network & Security
description = Data from Blue Coat ProxySG in W3C ELFF format thru syslog
KV_MODE = none
SHOULD_LINEMERGE = false
MAX_DAYS_AGO = 10951
TIME_FORMAT = %F %T
TIME_PREFIX = [A-Z][a-z]{2}\s+\d+\s+\d+:\d+:\d+\s+[a-zA-Z0-9]+\s+

TRANSFORMS-TrashHeaders = TrashHeaders

#REPORT-auto_kv_for_bluecoat_v5 = auto_kv_for_bluecoat_v5_3_3
#REPORT-auto_kv_for_bluecoat_v6 = auto_kv_for_bluecoat_v6_5_x
REPORT-auto_kv_for_bluecoat_v6_6 = auto_kv_for_bluecoat_v6_6_x

REPORT-categories = bluecoat_categories
REPORT-bluecoat_header = bluecoat_header

FIELDALIAS-cookie           = cs_Cookie as cookie
FIELDALIAS-duration         = time_taken as duration
FIELDALIAS-src              = c_ip as src
FIELDALIAS-src_port         = c_port as src_port
FIELDALIAS-user             = cs_username as user
FIELDALIAS-http_referrer    = cs_Referer as http_referrer
FIELDALIAS-status           = sc_status as status
FIELDALIAS-action           = s_action as vendor_action
FIELDALIAS-http_method      = cs_method as http_method
FIELDALIAS-content_type     = rs_Content_Type as http_content_type
FIELDALIAS-dest_host        = cs_host as dest_host
FIELDALIAS-dest_port        = s_port as dest_port
FIELDALIAS-user_agent       = cs_User_Agent as http_user_agent
FIELDALIAS-dest_ip          = cs_ip as dest_ip
FIELDALIAS-dvc              = s_ip as dvc
FIELDALIAS-bytes_in         = sc_bytes as bytes_in
FIELDALIAS-bytes_out        = cs_bytes as bytes_out
FIELDALIAS-uri_path         = cs_uri_path as uri_path
FIELDALIAS-uri_query        = cs_uri_query as uri_query
FIELDALIAS-protocol         = cs_protocol as protocol
FIELDALIAS-packets_in       = c_pkts_received as packets_in
FIELDALIAS-session_id       = s_session_id as session_id

EVAL-dest = coalesce(dest_ip, dest_host)
EVAL-bytes = bytes_in + bytes_out
EVAL-url = coalesce(cs_uri, if(isnull(cs_uri_scheme) OR (cs_uri_scheme=="-"), "", cs_uri_scheme+"://") + cs_host + cs_uri_path + if(isnull(cs_uri_query) OR (cs_uri_query == "-"), "", cs_uri_query))
EVAL-product = "ProxySG"
EVAL-vendor = "Blue Coat"
EVAL-vendor_product = "Blue Coat ProxySG"

LOOKUP-vendor_traffic_action = bluecoat_proxy_action_lookup vendor_action OUTPUT action, transport

[bluecoat:proxysg:access:file]
pulldown_type = true
category = Network & Security
description = Data from Blue Coat ProxySG in W3C ELFF format thru syslog
KV_MODE = none
SHOULD_LINEMERGE = false
MAX_DAYS_AGO = 10951

TRANSFORMS-TrashHeaders = TrashHeaders

REPORT-auto_kv_for_bluecoat_v6_6_r2 = auto_kv_for_bluecoat_v6_6_x

###ORIGINAL VALUES COMMENTED OUT
#pulldown_type = true
#category = Network & Security
#description = Data from Blue Coat ProxySG in W3C ELFF format thru file monitoring

#INDEXED_EXTRACTIONS = w3c
#SHOULD_LINEMERGE = false
#MAX_DAYS_AGO = 10951

#TRANSFORMS-TrashHeaders = TrashHeaders

REPORT-categories = bluecoat_categories
REPORT-bluecoat_header = bluecoat_header

FIELDALIAS-cookie           = cs_Cookie as cookie
FIELDALIAS-duration         = time_taken as duration
FIELDALIAS-src              = c_ip as src
FIELDALIAS-src_port         = c_port as src_port
FIELDALIAS-user             = cs_username as user
FIELDALIAS-http_referrer    = cs_Referer as http_referrer
FIELDALIAS-status           = sc_status as status
FIELDALIAS-action           = s_action as vendor_action
FIELDALIAS-http_method      = cs_method as http_method
FIELDALIAS-content_type     = rs_Content_Type as http_content_type
FIELDALIAS-dest_host        = cs_host as dest_host
FIELDALIAS-dest_port        = s_port as dest_port
FIELDALIAS-user_agent       = cs_User_Agent as http_user_agent
FIELDALIAS-dest_ip          = cs_ip as dest_ip
FIELDALIAS-dvc              = s_ip as dvc
FIELDALIAS-bytes_in         = sc_bytes as bytes_in
FIELDALIAS-bytes_out        = cs_bytes as bytes_out
FIELDALIAS-uri_path         = cs_uri_path as uri_path
FIELDALIAS-uri_query        = cs_uri_query as uri_query
FIELDALIAS-protocol         = cs_protocol as protocol
FIELDALIAS-packets_in       = c_pkts_received as packets_in
FIELDALIAS-session_id       = s_session_id as session_id

EVAL-dest = coalesce(dest_ip, dest_host)
EVAL-bytes = bytes_in + bytes_out
EVAL-url = coalesce(cs_uri, if(isnull(cs_uri_scheme) OR (cs_uri_scheme=="-"), "", cs_uri_scheme+"://") + cs_host + cs_uri_path + if(isnull(cs_uri_query) OR (cs_uri_query == "-"), "", cs_uri_query))
EVAL-product = "ProxySG"
EVAL-vendor = "Blue Coat"
EVAL-vendor_product = "Blue Coat ProxySG"

LOOKUP-vendor_traffic_action = bluecoat_proxy_action_lookup vendor_action OUTPUT action, transport

TRANSFORMS:

[bluecoat_proxy_action_lookup]
filename = bluecoat_proxy_actions.csv
case_sensitive_match = false

## Automatic kv


[auto_kv_for_bluecoat_v6_6_x]
REGEX = (?:"([^"]+)"|(\S+))\s+(?:"(\d{1,2}:\d{1,2}:\d{1,2})"|(\d{1,2}:\d{1,2}:\d{1,2}))\s+(?:"(\d+)"|(\d+))\s+(?:"(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"|(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s*$
FORMAT = date::$1 date::$2 time::$3 time::$4 time_taken::$5 time_taken::$6 c_ip::$7 c_ip::$8 cs_username::$9 cs_username::$10 cs_auth_group::$11 cs_auth_group::$12 s-supplier-name::$13 s-supplier-name::$14 s-supplier-ip::$15 s-supplier-ip::$16 s-supplier-country::$17 s-supplier-country::$18 s-supplier-failures::$19 s-supplier-failures::$20 x_exception_id::$21 x_exception_id::$22 sc_filter_result::$23 sc_filter_result::$24 cs_categories::$25 cs_categories::$26 cs_Referer::$27 cs_Referer::$28 sc_status::$29 sc_status::$30 s_action::$31 s_action::$32 cs_method::$33 cs_method::$34 rs_Content_Type::$35 rs_Content_Type::$36 cs_uri_scheme::$37 cs_uri_scheme::$38 cs_host::$39 cs_host::$40 cs_uri_port::$41 cs_uri_port::$42 cs_uri_path::$43 cs_uri_path::$44 cs_uri_query::$45 cs_uri_query::$46 cs_uri_extension::$47 cs_uri_extension::$48 cs_User_Agent::$49 cs_User_Agent::$50 s_ip::$51 s_ip::$52 sc_bytes::$53 sc_bytes::$54 cs_bytes::$55 cs_bytes::$56 x_virus_id::$57 x_virus_id::$58 x_bluecoat_application_name::$59 x_bluecoat_application_name::$60 x_bluecoat_application_operation::$61 x_bluecoat_application_operation::$62 cs-threat-risk::$63 cs-threat-risk::$64

[bluecoat_categories]
SOURCE_KEY = cs_categories
REGEX = (?[^;]+)
MV_ADD = true

[bluecoat_header]
REGEX = ^(#)
FORMAT = bluecoat_header::$1

[TrashHeaders]
REGEX = ^#
DEST_KEY = queue
FORMAT = nullQueue

INPUTS:

sourcetype = bluecoat:proxysg:access:syslog

pjohnson1
Path Finder

Does this work on Splunk 6.3.5?

We had it working on Splunk 6.2.6. After the upgrade to 6.3.5, the field extractions stopped.

0 Karma

mchang_splunk
Splunk Employee
Splunk Employee

For version 6.6.4.2, the format has been changed so you may want to update the transforms as following:

[auto_kv_for_bluecoat_v6_6_4_2]
REGEX=(?:"([^"]+)"|(\S+))\s+(?:"(\d{1,2}:\d{1,2}:\d{1,2})"|(\d{1,2}:\d{1,2}:\d{1,2}))\s+(?:"(\d+)"|(\d+))\s+(?:"(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"|(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s*(?:"([^"]+)"|(\S+))\s*(?:"([^"]+)"|(\S+))\s*(?:"([^"]+)"|(\S+))\s*$
FORMAT = date::$1 date::$2 time::$3 time::$4 time_taken::$5 time_taken::$6 c_ip::$7 c_ip::$8 cs_username::$9 cs_username::$10 cs_auth_group::$11 cs_auth_group::$12 s_supplier_name::$13 s_supplier_name::$14 s_supplier_ip::$15 s_supplier_ip::$16 s_supplier_country::$17 s_supplier_country::$18 s_supplier_failures::$19 s_supplier_failures::$20 x_exception_id::$21 x_exception_id::$22 sc_filter_result::$23 sc_filter_result::$24 cs_categories::$25 cs_categories::$26 cs_Referer::$27 cs_Referer::$28 sc_status::$29 sc_status::$30 s_action::$31 s_action::$32 cs_method::$33 cs_method::$34 rs_Content_Type::$35 rs_Content_Type::$36 cs_uri_scheme::$37 cs_uri_scheme::$38 cs_host::$39 cs_host::$40 cs_uri_port::$41 cs_uri_port::$42 cs_uri_path::$43 cs_uri_path::$44 cs_uri_query::$45 cs_uri_query::$46 cs_uri_extension::$47 cs_uri_extension::$48 cs_User_Agent::$49 cs_User_Agent::$50 s_ip::$51 s_ip::$52 sc_bytes::$53 sc_bytes::$54 cs_bytes::$55 cs_bytes::$56 x_virus_id::$57 x_virus_id::$58 x_bluecoat_application_name::$59 x_bluecoat_application_name::$60 x_bluecoat_application_operation::$61 x_bluecoat_application_operation::$62 cs-threat-risk::$63 cs-threat-risk::$64 x_bluecoat_transaction_uuid::$65 x_bluecoat_transaction_uuid::$66 x_icap_reqmod_header::$67 x_icap_reqmod_header::$68 x_icap_respmod_header::$69 x_icap_respmod_header::$70

mreynov_splunk
Splunk Employee
Splunk Employee

we are actually working on an upgrade, but feel free to use indexed_extractions instead by setting sourcetype to bluecoat:proxysg:access:file

koshyk
Super Champion

This is the best method as the headers always come and with version upgrades.cheers.

0 Karma

pdoconnell
Path Finder

When this is released, can the documentation please include the specific ELFF string to be used in bluecoat as well.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...