I'm using BlueCoat ThreatPulse as a web filter ('cloud' based). The only method to pull their logs is via API. However, there isn't an app for ThreatPulse (and the ProxySG uses syslog). I've tinkered with the RESTapi app but haven't had any luck bringing in data. Is there anyone here that's used the RESTapi with ThreatPulse or have any other suggestions on getting this data into Splunk?
There is actually a TA and app that are available from Symantec now. I'm guessing they didn't exist at the time. Currently I'm having issues with it. It seems the API is not working. Is anyone having similar issues? It has worked fine for months but now when I run the input scripts I don't get anything back.
There is a fairly straightforward way to accomplish this--download the Blue Coat Reporter app, install it on a server, and have it download the WSS/ThreatPulse logs automatically. Those logs come down in gzip format, but can be indexed easily by Splunk--the format is similar to the standard ProxySG log formats.
Here's an article from Symantec on setting up the connection between Reporter and ThreatPulse: https://support.symantec.com/en_US/article.TECH241105.html
Thanks Brian, I appreciate the reply.
While I couldn't find any solid answer at the time, I decided to go the manual route. I wrote a python script to download the log files on the hour and then place them in a directory that Splunk monitors.