- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- Enterprise Security: Is Blue Coat a CIM Network Tr...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Enterprise Security: Is Blue Coat a CIM Network Traffic compliant?
Based on Sourcetypes for the Splunk Add-on for Symantec Blue Coat ProxySG
bluecoat:proxysg:access:file is CIM compliant with the Network Traffic and the Web ones.
However, with the automatic tagging of the TA, our bluecoat index is tagged only as Web. Why is that?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
What sourcetypes are available in your Bluecoat Index ? If you try to search index=YOUR_BLUECOAT_INDEX sourcetype=bluecoat:proxysg:access:file will it returning any events? If yes then those events are tagged with network and communicate tag?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@harsmarvania57. index=YOUR_BLUECOAT_INDEX sourcetype=bluecoat:proxysg:access:file returns events and the tags are - web, proxy, error, unix and os.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
While looking at Bluecoat add-on, it looks like it is not mapping network and communicate tag to any of the bluecoat data which means you can't map data in Network Traffic datamodel using this add-on.
eventtypes.conf
[bluecoat_proxy_access_file]
search = sourcetype=bluecoat:proxysg:access:file NOT bluecoat_header="#"
#tags = web proxy
tags.conf
[eventtype=bluecoat_proxy_access_file]
web = enabled
proxy = enabled
Please submit docs feedback on page https://docs.splunk.com/Documentation/AddOns/released/BlueCoatProxySG/Sourcetypes. On bottom of the page you can see "Was this topic useful?" , please submit feedback there so it will directly go to docs team.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@harsmarvania57 - many thanks!!! please convert to an answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just checked mine.
eventtypes.conf -
[bluecoat_proxy]
search = sourcetype=bluecoat:proxysg:access* NOT bluecoat_header="#"
#tags = web proxy
[bluecoat_traffic_monitor]
search = sourcetype = bluecoat:proxysg:access* (s_session_id="*" AND NOT s_session_id = "-") NOT bluecoat_header="#"
# tags = network communicate
tags.conf -
[eventtype=bluecoat_proxy]
web = enabled
proxy = enabled
[eventtype=bluecoat_traffic_monitor]
network = enabled
communicate = enabled
It looks like a version issue...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes I can see config which you have provided in version 3.5.0 but in 3.6.0 I can't see any mapping with Network_Traffic datamodel.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Got it, we are on 3.5.0.
Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation
Explore the Latest Educational Offerings from Splunk (November Releases)
New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...
