All Apps and Add-ons

Why is the Splunk Add-on for Blue Coat ProxySG unable to ingest .gz files and causes our Splunk 6.4 universal forwarder to crash?

jhall0007
Path Finder

It appears the BlueCoat TA is unable to ingest .gz files - even when it is zipped by the Blue Coat proxy itself. Attempting to ingest them actually causes the entire forwarder to crash. I've attempted this on a Linux 6.3 and then a 6.4 universal forwarder (I haven't tried it with a HF).

I've manually run gunzip on some of these files and the TA seems to ingest them without a problem.

In our environment, we bypassed the issue by ingesting the data with a basic app. We intended to use the transforms elsewhere at index/search-time, but found that the the initial Blue Coat headers were dropped causing the TA to lose its ability to dynamically parse the data correctly.

Is anyone else using this TA to ingest .gz files?

Thanks,

0 Karma

mreynov_splunk
Splunk Employee
Splunk Employee

sounds like you were using bluecoat:proxysg:access:file sourcetype to leverage INDEXED_EXTRACTIONS. is that correct?

if so, you can try to use sourcetype bluecoat:proxysg:access:syslog with the recommended log format configured (default bcereportermain_v1) on the bluecoat side: http://docs.splunk.com/Documentation/AddOns/latest/BlueCoatProxySG/Sourcetypes

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...