Security

Best way to collect logs from Checkpoint and Blue Coat Proxies?

daniel_augustyn
Contributor

What is the best way to collect logs from the devices that I can't install Universal Forwarders on? Should I use the available apps like the ones for Checkpoint and Blue Coat? Would I even need these apps? Or should I just import the logs directly to a heavy forwarder?

These are the questions I have:

Do I need an app for a specific device if UF is not available to be installed on that device?
Do I need to install heavy forwarders for these types of logs?

0 Karma
1 Solution

ryanlait
Explorer

I cannot speak for checkpoint, but forwarding BlueCoat logs via syslog to our heavy forwarder has been simple and effective for me.

Configure a UDP listener on a heavy forwarder and configure your bluecoat/s to forward logs to your heavy forwarder IP:port via syslog.

We've written a few custom search queries and dashboards but the BlueCoat app is a good starting point.

View solution in original post

0 Karma

mreynov_splunk
Splunk Employee
Splunk Employee

The best practice for cases like this is setting up syslog aggregation like syslog-ng, forward your logs to that and install the UF on the syslog-ng server.

0 Karma

ryanlait
Explorer

I cannot speak for checkpoint, but forwarding BlueCoat logs via syslog to our heavy forwarder has been simple and effective for me.

Configure a UDP listener on a heavy forwarder and configure your bluecoat/s to forward logs to your heavy forwarder IP:port via syslog.

We've written a few custom search queries and dashboards but the BlueCoat app is a good starting point.

View solution in original post

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!