All Apps and Add-ons

Why is the Splunk Add-on for Blue Coat ProxySG unable to ingest .gz files and causes our Splunk 6.4 universal forwarder to crash?

jhall0007
Path Finder

It appears the BlueCoat TA is unable to ingest .gz files - even when it is zipped by the Blue Coat proxy itself. Attempting to ingest them actually causes the entire forwarder to crash. I've attempted this on a Linux 6.3 and then a 6.4 universal forwarder (I haven't tried it with a HF).

I've manually run gunzip on some of these files and the TA seems to ingest them without a problem.

In our environment, we bypassed the issue by ingesting the data with a basic app. We intended to use the transforms elsewhere at index/search-time, but found that the the initial Blue Coat headers were dropped causing the TA to lose its ability to dynamically parse the data correctly.

Is anyone else using this TA to ingest .gz files?

Thanks,

0 Karma

mreynov_splunk
Splunk Employee
Splunk Employee

sounds like you were using bluecoat:proxysg:access:file sourcetype to leverage INDEXED_EXTRACTIONS. is that correct?

if so, you can try to use sourcetype bluecoat:proxysg:access:syslog with the recommended log format configured (default bcereportermain_v1) on the bluecoat side: http://docs.splunk.com/Documentation/AddOns/latest/BlueCoatProxySG/Sourcetypes

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...