yea I found the TA and associated regex overly complicated. Plus BC added a few fields in main log in v6.7. I ended up re-writing the regex and it works fine for us. It is based on the default 'main' log. We did end up create a explicit log format on the proxy and just copied the main format to it. This ensures that the log format wont change after upgrades [auto_kv_for_bluecoat_v6_7_x] Regex = ^(\S+|\-)\s+(\S+|\-)\s+(\S+|\-)\s+(\S+|\-)\s+(\S+|\-)\s+(\S+|\-)\s+(\S+|\-)\s+(\S+|\-)\s+(\".*?\"|\-)\s+(\S+|\-)\s+(\S+|\-)\s+(\S+|\-)\s+(\".*?\"|\-)\s+(\S+|\-)\s+(\S+|\-)\s+(\S+|\-)\s+(\S+|\-)\s+(\S+|\-)\s+(\S+|\-)\s+(\S+|\-)\s+(\S+|\-)\s+(\S+|\-)\s+(\S+|\-)\s+(\S+|\-)\s+(\".*?\"|\-)\s+(\S+|\-)\s+(\S+|\-)\s+(\S+|\-)\s+(\S+|\-)\s+(\".*?\"|\-)\s+(\".*?\"|\-)\s+(\".*?\"|\-)\s+(\S+|\-)\s+(\S+|\-)\s+(\S+|\-)\s+(\S+|\-)$ Format = date::$1 time::$2 time_taken::$3 c_ip::$4 cs_username::$5 cs_auth_group::$6 s_supplier_name::$7 s_supplier_ip::$8 s_supplier_country::$9 s_supplier_failures::$10 x_exception_id::$11 sc_filter_result::$12 cs_categories::$13 cs_Referer::$14 sc_status::$15 s_action::$16 cs_method::$17 rs_Content_Type::$18 cs_uri_scheme::$19 cs_host::$20 cs_uri_port::$21 cs_uri_path::$22 cs_uri_query::$23 cs_uri_extension::$24 cs_User_Agent::$25 s_ip::$26 sc_bytes::$27 cs_bytes::$28 x_virus_id::$29 x_bluecoat_application_name::$30 x_bluecoat_application_operation::$31 x_bluecoat_application_groups::$32 cs_threat_risk::$33 x_bluecoat_transaction_uuid::$34 x_icap_reqmod_header::$35 x_icap_respmod_header::$36
... View more
