Hi team ,
We have splunk blueocoat installed , the logs are fetching but we are not getting logs like ,
url
port
protocol
destination ip
user agent string
sourceip
we have installed this Add-on .
Splunk Add-on for Blue Coat ProxySG.
Below is the regex we have in /opt/splunk/etc/apps/ta-bluecoat/default/transforms.conf
[bluecoat_proxy_action_lookup]
filename = bluecoat_proxy_actions.csv
case_sensitive_match = false
Automatic kv
[auto_kv_for_bluecoat_v5_3_3]
REGEX = (?:"([^"]+)"|(\S+))\s+(?:"(\d{1,2}:\d{1,2}:\d{1,2})"|(\d{1,2}:\d{1,2}:\d{1,2}))\s+(?:"(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"|(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}))\s+(?:"(\d+)"|(\d+))\s+(?:"(\d+)"|(\d+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s*$
FORMAT = date::$1 date::$2 time::$3 time::$4 c_ip::$5 c_ip::$6 sc_bytes::$7 sc_bytes::$8 time_taken::$9 time_taken::$10 s_action::$11 s_action::$12 sc_status::$13 sc_status::$14 rs_status::$15 rs_status::$16 rs_bytes::$17 rs_bytes::$18 cs_bytes::$19 cs_bytes::$20 cs_auth_type::$21 cs_auth_type::$22 cs_username::$23 cs_username::$24 sc_filter_result::$25 sc_filter_result::$26 cs_method::$27 cs_method::$28 cs_host::$29 cs_host::$30 cs_version::$31 cs_version::$32 sr_bytes::$33 sr_bytes::$34 cs_uri::$35 cs_uri::$36 cs_Referer::$37 cs_Referer::$38 rs_Content_Type::$39 rs_Content_Type::$40 cs_User_Agent::$41 cs_User_Agent::$42 cs_Cookie::$43 cs_Cookie::$44
[auto_kv_for_bluecoat_v6_5_x]
REGEX = (?:"([^"]+)"|(\S+))\s+(?:"(\d{1,2}:\d{1,2}:\d{1,2})"|(\d{1,2}:\d{1,2}:\d{1,2}))\s+(?:"(\d+)"|(\d+))\s+(?:"(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"|(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s*$
FORMAT = date::$1 date::$2 time::$3 time::$4 time_taken::$5 time_taken::$6 c_ip::$7 c_ip::$8 cs_username::$9 cs_username::$10 cs_auth_group::$11 cs_auth_group::$12 x_exception_id::$13 x_exception_id::$14 sc_filter_result::$15 sc_filter_result::$16 cs_categories::$17 cs_categories::$18 cs_Referer::$19 cs_Referer::$20 sc_status::$21 sc_status::$22 s_action::$23 s_action::$24 cs_method::$25 cs_method::$26 rs_Content_Type::$27 rs_Content_Type::$28 cs_uri_scheme::$29 cs_uri_scheme::$30 cs_host::$31 cs_host::$32 cs_uri_port::$33 cs_uri_port::$34 cs_uri_path::$35 cs_uri_path::$36 cs_uri_query::$37 cs_uri_query::$38 cs_uri_extension::$39 cs_uri_extension::$40 cs_User_Agent::$41 cs_User_Agent::$42 s_ip::$43 s_ip::$44 sc_bytes::$45 sc_bytes::$46 cs_bytes::$47 cs_bytes::$48 x_virus_id::$49 x_virus_id::$50 x_bluecoat_application_name::$51 x_bluecoat_application_name::$52 x_bluecoat_application_operation::$53 x_bluecoat_application_operation::$54
[bluecoat_categories]
SOURCE_KEY = cs_categories
REGEX = (?[^;]+)
MV_ADD = true
[bluecoat_header]
REGEX = ^(#)
FORMAT = bluecoat_header::$1
[TrashHeaders]
REGEX = ^#
DEST_KEY = queue
I had compared with the app in splunk base https://splunkbase.splunk.com/app/2758/#/details , but still, we aren't getting logs. Is there any customization that needs to be done? if so help us where I need to make the changes.
... View more