All Apps and Add-ons

Splunk Add-on for Blue Coat ProxySG: Has anyone gotten the transforms to work properly for Bluecoat 6.6.3.2 log formatting?

Splunk Employee
Splunk Employee

Has anyone got the transforms for Bluecoat 6.6 working properly?

The Splunk Add-on for Blue Coat ProxySG is looking for 6.5.x, but it seems that the logging has changed in 6.6.

[auto_kv_for_bluecoat_v6_5_x]
REGEX = (?:"([^"]+)"|(\S+))\s+(?:"(\d{1,2}:\d{1,2}:\d{1,2})"|(\d{1,2}:\d{1,2}:\d{1,2}))\s+(?:"(\d+)"|(\d+))\s+(?:"(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"|(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s*$

FORMAT = date::$1 date::$2 time::$3 time::$4 time_taken::$5 time_taken::$6 c_ip::$7 c_ip::$8 cs_username::$9 cs_username::$10 cs_auth_group::$11 cs_auth_group::$12 x_exception_id::$13 x_exception_id::$14 sc_filter_result::$15 sc_filter_result::$16 cs_categories::$17 cs_categories::$18 cs_Referer::$19 cs_Referer::$20 sc_status::$21 sc_status::$22 s_action::$23 s_action::$24 cs_method::$25 cs_method::$26 rs_Content_Type::$27 rs_Content_Type::$28 cs_uri_scheme::$29 cs_uri_scheme::$30 cs_host::$31 cs_host::$32 cs_uri_port::$33 cs_uri_port::$34 cs_uri_path::$35 cs_uri_path::$36 cs_uri_query::$37 cs_uri_query::$38 cs_uri_extension::$39 cs_uri_extension::$40 cs_User_Agent::$41 cs_User_Agent::$42 s_ip::$43 s_ip::$44 sc_bytes::$45 sc_bytes::$46 cs_bytes::$47 cs_bytes::$48 x_virus_id::$49 x_virus_id::$50 x_bluecoat_application_name::$51 x_bluecoat_application_name::$52 x_bluecoat_application_operation::$53 x_bluecoat_application_operation::$54 

Blue Coat 6.6 DATA:

May 16 19:42:32 bh0prxy99 #Software: SGOS 6.6.3.2
May 16 19:42:32 bh0prxy99 #Version: 1.0
May 16 19:42:32 bh0prxy99 #Start-Date: 2016-05-16 23:08:21
May 16 19:42:32 bh0prxy99 #Date: 2016-04-29 20:08:05
May 16 19:42:32 bh0prxy99 #Fields: date time time-taken c-ip cs-username cs-auth-group s-supplier-name s-supplier-ip s-supplier-country s-supplier-failures x-exception-id sc-filter-result cs-categories cs(Referer) sc-status s-action cs-method rs(Content-Type) cs-uri-scheme cs-host cs-uri-port cs-uri-path cs-uri-query cs-uri-extension cs(User-Agent) s-ip sc-bytes cs-bytes x-virus-id x-bluecoat-application-name x-bluecoat-application-operation cs-threat-risk
May 16 19:42:32 bh0prxy99 #Remark: 2815320295 "bh0prxy99 - Blue Coat ASG-S400 Series" "xx.xx.x.xx" "main"
May 31 16:42:15 bh0prxy99 2016-05-31 20:41:56 31 xx.xx.xxx.xx nfl dom\S_Sysadmin na31.site.com xxx.xxx.xxx.xxx None - - OBSERVED "Business/Economy" -  302 TCP_NC_MISS GET - http na31.site.com 80 /servlet/servlet.ImageServer ?oid=00D37000000KAUl&esid=01837000001JkIC ImageServer "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET CLR 1.1.4322; .NET4.0E; Microsoft Outlook 14.0.7169; ms-office; MSOffice 14)" xxx.xxx.x.xx 203 629 - "none" "none" unavailable
May 31 16:42:15 bh0prxy99 2016-05-31 20:41:56 33 xx.xx.xxx.xx nfl dom\S_Sysadmin na31.site.com xxx.xxx.xxx.xxx None - - OBSERVED "Business/Economy" -  302 TCP_NC_MISS GET - http na31.site.com 80 /servlet/servlet.ImageServer ?oid=00D37000000KAUl&esid=01837000001Jd7X ImageServer "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET CLR 1.1.4322; .NET4.0E; Microsoft Outlook 14.0.7169; ms-office; MSOffice 14)" xxx.xxx.x.xx 203 629 - "none" "none" unavailable

New Member

Has anyone been able to get the above suggestions to work with proxySG 6.6.5.9? Most of the fields extract correctly but I have a few anomalies where the cs_host shows up in cs_uri_scheme and for that record fields are all off. In most cases the cs_host ends up being 443 when this happens.

0 Karma

Contributor

In addition to the suggestions already made, I also added these two lines to my props.conf. The first line gives you a multivalue field for the categories. The second is a tweak to improve the logic on deciding if something is blocked. I had events where the vendor action was TCP_TUNNELED and the sc_filter_result was DENIED. The current lookup was mapping these events as action=allowed, which was throwing off my reporting.

EVAL-category = split(cs_categories, ";")
EVAL-vendor_action = if(sc_filter_result=="DENIED","DENIED",vendor_action)

Splunk Employee
Splunk Employee

Hi

I have written these additions for the props and transforms, i have added them to Splunk_TA_bluecoat-proxysg/local/props.conf and Splunk_TA_bluecoat-proxysg/local/transforms.conf

props.conf

[bluecoat:proxysg:access:syslog]
REPORT-auto_kv_for_bluecoat_v6 = auto_kv_for_bluecoat_v6_5_x,auto_kv_for_bluecoat_v6_6_x

transforms.conf

[auto_kv_for_bluecoat_v6_6_x]
REGEX = (?:"([^"]+)"|(\S+))\s+(?:"(\d{1,2}:\d{1,2}:\d{1,2})"|(\d{1,2}:\d{1,2}:\d{1,2}))\s+(?:"(\d+)"|(\d+))\s+(?:"(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"|(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))
FORMAT = date::$1 date::$2 time::$3 time::$4 time_taken::$5 time_taken::$6 c_ip::$7 c_ip::$8 cs_username::$9 cs_username::$10 cs_auth_group::$11 cs_auth_group::$12 s-supplier-name::$13 s-supplier-name::$14 s-supplier-ip::$15 s-supplier-ip::$16 s-supplier-country::$17 s-supplier-country::$18 s-supplier-failures::$19 s-supplier-failures::$20 x-exception-id::$21 x-exception-id::$22 sc-filter-result::$23 sc-filter-result::$24 cs-categories::$25 cs-categories::$26 cs_Referer::$27 cs_Referer::$28 sc_status::$29 sc_status::$30 s-action::$31 s-action::$32 cs-method::$33 cs-method::$34 rs_Content_Type::$35 rs_Content_Type::$36 cs_uri_scheme::$37 cs_uri_scheme::$38 cs_host::$39 cs_host::$40 cs_uri_port::$41 cs_uri_port::$42 cs_uri_path::$43 cs_uri_path::$44 cs_uri_query::$45 cs_uri_query::$46 cs_uri_extension::$47 cs_uri_extension::$48 cs_User_Agent::$49 cs_User_Agent::$50 s_ip::$51 s_ip::$52 sc_bytes::$53 sc_bytes::$54 cs_bytes::$55 cs_bytes::$56 x_virus_id::$57 x_virus_id::$58 x_bluecoat_application_name::$59 x_bluecoat_application_name::$60 x_bluecoat_application_operation::$61 x_bluecoat_application_operation::$62 cs_threat_risk::$63 cs_threat_risk::$64

These seem to work fine from my testing, however in my testing I noticed that the odd event(less than 0.00001%) in my dataset had exceeded the default TRUNCATE limit of 10000 bytes, so i also increased my TRUNCATE value to 20000 for the [bluecoat:proxysg:access:syslog] stanza in props.conf

I hope this helps anyone else that is having challenges with the additional fields being sent by bluecoat 6.6.x devices.

Thanks
Darren

Splunk Employee
Splunk Employee

PROPS:

[source::....bluecoat]
sourcetype = bluecoat:proxysg:access:file

[bluecoat]
rename=bluecoat:proxysg:access:syslog

[bluecoat:proxysg:access:syslog]
pulldown_type = true
category = Network & Security
description = Data from Blue Coat ProxySG in W3C ELFF format thru syslog
KV_MODE = none
SHOULD_LINEMERGE = false
MAX_DAYS_AGO = 10951
TIME_FORMAT = %F %T
TIME_PREFIX = [A-Z][a-z]{2}\s+\d+\s+\d+:\d+:\d+\s+[a-zA-Z0-9]+\s+

TRANSFORMS-TrashHeaders = TrashHeaders

#REPORT-auto_kv_for_bluecoat_v5 = auto_kv_for_bluecoat_v5_3_3
#REPORT-auto_kv_for_bluecoat_v6 = auto_kv_for_bluecoat_v6_5_x
REPORT-auto_kv_for_bluecoat_v6_6 = auto_kv_for_bluecoat_v6_6_x

REPORT-categories = bluecoat_categories
REPORT-bluecoat_header = bluecoat_header

FIELDALIAS-cookie           = cs_Cookie as cookie
FIELDALIAS-duration         = time_taken as duration
FIELDALIAS-src              = c_ip as src
FIELDALIAS-src_port         = c_port as src_port
FIELDALIAS-user             = cs_username as user
FIELDALIAS-http_referrer    = cs_Referer as http_referrer
FIELDALIAS-status           = sc_status as status
FIELDALIAS-action           = s_action as vendor_action
FIELDALIAS-http_method      = cs_method as http_method
FIELDALIAS-content_type     = rs_Content_Type as http_content_type
FIELDALIAS-dest_host        = cs_host as dest_host
FIELDALIAS-dest_port        = s_port as dest_port
FIELDALIAS-user_agent       = cs_User_Agent as http_user_agent
FIELDALIAS-dest_ip          = cs_ip as dest_ip
FIELDALIAS-dvc              = s_ip as dvc
FIELDALIAS-bytes_in         = sc_bytes as bytes_in
FIELDALIAS-bytes_out        = cs_bytes as bytes_out
FIELDALIAS-uri_path         = cs_uri_path as uri_path
FIELDALIAS-uri_query        = cs_uri_query as uri_query
FIELDALIAS-protocol         = cs_protocol as protocol
FIELDALIAS-packets_in       = c_pkts_received as packets_in
FIELDALIAS-session_id       = s_session_id as session_id

EVAL-dest = coalesce(dest_ip, dest_host)
EVAL-bytes = bytes_in + bytes_out
EVAL-url = coalesce(cs_uri, if(isnull(cs_uri_scheme) OR (cs_uri_scheme=="-"), "", cs_uri_scheme+"://") + cs_host + cs_uri_path + if(isnull(cs_uri_query) OR (cs_uri_query == "-"), "", cs_uri_query))
EVAL-product = "ProxySG"
EVAL-vendor = "Blue Coat"
EVAL-vendor_product = "Blue Coat ProxySG"

LOOKUP-vendor_traffic_action = bluecoat_proxy_action_lookup vendor_action OUTPUT action, transport

[bluecoat:proxysg:access:file]
pulldown_type = true
category = Network & Security
description = Data from Blue Coat ProxySG in W3C ELFF format thru syslog
KV_MODE = none
SHOULD_LINEMERGE = false
MAX_DAYS_AGO = 10951

TRANSFORMS-TrashHeaders = TrashHeaders

REPORT-auto_kv_for_bluecoat_v6_6_r2 = auto_kv_for_bluecoat_v6_6_x

###ORIGINAL VALUES COMMENTED OUT
#pulldown_type = true
#category = Network & Security
#description = Data from Blue Coat ProxySG in W3C ELFF format thru file monitoring

#INDEXED_EXTRACTIONS = w3c
#SHOULD_LINEMERGE = false
#MAX_DAYS_AGO = 10951

#TRANSFORMS-TrashHeaders = TrashHeaders

REPORT-categories = bluecoat_categories
REPORT-bluecoat_header = bluecoat_header

FIELDALIAS-cookie           = cs_Cookie as cookie
FIELDALIAS-duration         = time_taken as duration
FIELDALIAS-src              = c_ip as src
FIELDALIAS-src_port         = c_port as src_port
FIELDALIAS-user             = cs_username as user
FIELDALIAS-http_referrer    = cs_Referer as http_referrer
FIELDALIAS-status           = sc_status as status
FIELDALIAS-action           = s_action as vendor_action
FIELDALIAS-http_method      = cs_method as http_method
FIELDALIAS-content_type     = rs_Content_Type as http_content_type
FIELDALIAS-dest_host        = cs_host as dest_host
FIELDALIAS-dest_port        = s_port as dest_port
FIELDALIAS-user_agent       = cs_User_Agent as http_user_agent
FIELDALIAS-dest_ip          = cs_ip as dest_ip
FIELDALIAS-dvc              = s_ip as dvc
FIELDALIAS-bytes_in         = sc_bytes as bytes_in
FIELDALIAS-bytes_out        = cs_bytes as bytes_out
FIELDALIAS-uri_path         = cs_uri_path as uri_path
FIELDALIAS-uri_query        = cs_uri_query as uri_query
FIELDALIAS-protocol         = cs_protocol as protocol
FIELDALIAS-packets_in       = c_pkts_received as packets_in
FIELDALIAS-session_id       = s_session_id as session_id

EVAL-dest = coalesce(dest_ip, dest_host)
EVAL-bytes = bytes_in + bytes_out
EVAL-url = coalesce(cs_uri, if(isnull(cs_uri_scheme) OR (cs_uri_scheme=="-"), "", cs_uri_scheme+"://") + cs_host + cs_uri_path + if(isnull(cs_uri_query) OR (cs_uri_query == "-"), "", cs_uri_query))
EVAL-product = "ProxySG"
EVAL-vendor = "Blue Coat"
EVAL-vendor_product = "Blue Coat ProxySG"

LOOKUP-vendor_traffic_action = bluecoat_proxy_action_lookup vendor_action OUTPUT action, transport

TRANSFORMS:

[bluecoat_proxy_action_lookup]
filename = bluecoat_proxy_actions.csv
case_sensitive_match = false

## Automatic kv


[auto_kv_for_bluecoat_v6_6_x]
REGEX = (?:"([^"]+)"|(\S+))\s+(?:"(\d{1,2}:\d{1,2}:\d{1,2})"|(\d{1,2}:\d{1,2}:\d{1,2}))\s+(?:"(\d+)"|(\d+))\s+(?:"(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"|(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s*$
FORMAT = date::$1 date::$2 time::$3 time::$4 time_taken::$5 time_taken::$6 c_ip::$7 c_ip::$8 cs_username::$9 cs_username::$10 cs_auth_group::$11 cs_auth_group::$12 s-supplier-name::$13 s-supplier-name::$14 s-supplier-ip::$15 s-supplier-ip::$16 s-supplier-country::$17 s-supplier-country::$18 s-supplier-failures::$19 s-supplier-failures::$20 x_exception_id::$21 x_exception_id::$22 sc_filter_result::$23 sc_filter_result::$24 cs_categories::$25 cs_categories::$26 cs_Referer::$27 cs_Referer::$28 sc_status::$29 sc_status::$30 s_action::$31 s_action::$32 cs_method::$33 cs_method::$34 rs_Content_Type::$35 rs_Content_Type::$36 cs_uri_scheme::$37 cs_uri_scheme::$38 cs_host::$39 cs_host::$40 cs_uri_port::$41 cs_uri_port::$42 cs_uri_path::$43 cs_uri_path::$44 cs_uri_query::$45 cs_uri_query::$46 cs_uri_extension::$47 cs_uri_extension::$48 cs_User_Agent::$49 cs_User_Agent::$50 s_ip::$51 s_ip::$52 sc_bytes::$53 sc_bytes::$54 cs_bytes::$55 cs_bytes::$56 x_virus_id::$57 x_virus_id::$58 x_bluecoat_application_name::$59 x_bluecoat_application_name::$60 x_bluecoat_application_operation::$61 x_bluecoat_application_operation::$62 cs-threat-risk::$63 cs-threat-risk::$64

[bluecoat_categories]
SOURCE_KEY = cs_categories
REGEX = (?[^;]+)
MV_ADD = true

[bluecoat_header]
REGEX = ^(#)
FORMAT = bluecoat_header::$1

[TrashHeaders]
REGEX = ^#
DEST_KEY = queue
FORMAT = nullQueue

INPUTS:

sourcetype = bluecoat:proxysg:access:syslog

Path Finder

Does this work on Splunk 6.3.5?

We had it working on Splunk 6.2.6. After the upgrade to 6.3.5, the field extractions stopped.

0 Karma

Splunk Employee
Splunk Employee

For version 6.6.4.2, the format has been changed so you may want to update the transforms as following:

[auto_kv_for_bluecoat_v6_6_4_2]
REGEX=(?:"([^"]+)"|(\S+))\s+(?:"(\d{1,2}:\d{1,2}:\d{1,2})"|(\d{1,2}:\d{1,2}:\d{1,2}))\s+(?:"(\d+)"|(\d+))\s+(?:"(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"|(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s*(?:"([^"]+)"|(\S+))\s*(?:"([^"]+)"|(\S+))\s*(?:"([^"]+)"|(\S+))\s*$
FORMAT = date::$1 date::$2 time::$3 time::$4 time_taken::$5 time_taken::$6 c_ip::$7 c_ip::$8 cs_username::$9 cs_username::$10 cs_auth_group::$11 cs_auth_group::$12 s_supplier_name::$13 s_supplier_name::$14 s_supplier_ip::$15 s_supplier_ip::$16 s_supplier_country::$17 s_supplier_country::$18 s_supplier_failures::$19 s_supplier_failures::$20 x_exception_id::$21 x_exception_id::$22 sc_filter_result::$23 sc_filter_result::$24 cs_categories::$25 cs_categories::$26 cs_Referer::$27 cs_Referer::$28 sc_status::$29 sc_status::$30 s_action::$31 s_action::$32 cs_method::$33 cs_method::$34 rs_Content_Type::$35 rs_Content_Type::$36 cs_uri_scheme::$37 cs_uri_scheme::$38 cs_host::$39 cs_host::$40 cs_uri_port::$41 cs_uri_port::$42 cs_uri_path::$43 cs_uri_path::$44 cs_uri_query::$45 cs_uri_query::$46 cs_uri_extension::$47 cs_uri_extension::$48 cs_User_Agent::$49 cs_User_Agent::$50 s_ip::$51 s_ip::$52 sc_bytes::$53 sc_bytes::$54 cs_bytes::$55 cs_bytes::$56 x_virus_id::$57 x_virus_id::$58 x_bluecoat_application_name::$59 x_bluecoat_application_name::$60 x_bluecoat_application_operation::$61 x_bluecoat_application_operation::$62 cs-threat-risk::$63 cs-threat-risk::$64 x_bluecoat_transaction_uuid::$65 x_bluecoat_transaction_uuid::$66 x_icap_reqmod_header::$67 x_icap_reqmod_header::$68 x_icap_respmod_header::$69 x_icap_respmod_header::$70

Splunk Employee
Splunk Employee

we are actually working on an upgrade, but feel free to use indexed_extractions instead by setting sourcetype to bluecoat:proxysg:access:file

Super Champion

This is the best method as the headers always come and with version upgrades.cheers.

0 Karma

Path Finder

When this is released, can the documentation please include the specific ELFF string to be used in bluecoat as well.

0 Karma