- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: bluecoat logs need deciphering.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bluecoat logs need deciphering.
2012-01-31 "[31/Jan/2012:17:32:45 +0800]" 960 xx.xx.xxx.xxx 200 TCP_MISS 14751 466 GET http a3.sphotos.ak.fbcdn.net 80 /hphotos-ak-snc7/s320x320/409184_350399211645343_100000258xxxxxx_1347828_1830594287_n.jpg - Userid OCOME\Domain%20admin DIRECT a3.sphotos.ak.fbcdn.net image/jpeg "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)" OBSERVED "Social Networking" - 10.21.21.118 SG-HTTP-Service
hi folks, I'm not sure if anyone else has this problem. I cannot make out what this line is trying to tell me. all i know is that this is a log from a bluecoat proxysg device. I cannot fathom how did guys here develop for Bluecoat. It's cryptic and there isn't alot of resource on how it works.
I would be glad if anyone can send me a copy of bluecoat's configuration and management guide for SGOS 5.5x.
Also, can anyone tell me if the Bluecoat app works at all? I can only see the app's panel shows "no results found ... Inspect." I put my logs in Index:main and also tried to put it elsewhere, by creating one just for bluecoat but still i cannot make it work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It doesn't really matter which index file you put the bluecoat logs to. It's the sourcetype information that is important. Is the sourcetype for your bluecoat logs set to bcoat_proxysg? If not then that might be why the field extraction is not working.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ah! I think you're experiencing the same feelings I had when I first installed the Bluecoat app. The dashboard was always blank.
I ended up creating my own dashboard and reports for bluecoat. I still have that app installed, but only to reference some of its searches and field extraction information.
If you hover your mouse over one of the dashboard blocks, it will reveal a link that says "inspect..". Click on it will reveal the actual query used in that block. This is where u can take that query and either tweak or fix it for your own purpose.
Hope that helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I swear to god i did put the sourcetype on both instance to [bcoat_proxysg]
the fields come out but it did not show dashboard, it says the last para to me.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
