Hi,
we can use the BlueCoat App for Splunk, but there still some fields that cannot be compared correctly.
But for the first basic reports it's enough.
We using it in this combination:
The ProxySG's are using the an custom Accesslog Server, with the logformat "bcreportermain_v1"
Because the custom logserver cannot use the local time, the ProxySG is sending the log in UTC, Splunk itself is running in local time (GMT+1)
We have configures an local props file on Splunk:
/opt/splunk/etc/apps/SplunkforBlueCoat/local/props.conf
[bcoat_proxysg]
TZ = UTC
REPORT-main = bcreportermain_v1
The data input for the dedicated TCP port has the sourcetype value "bcoat_proxysg", and the Index is "bcoat_logs"
Now, after restarting Splunk, the fields are mostly correct like date, time, c-ip, but there are still some fields that are not 100% recognized. For an example, "action" has now the values from the http_statuscode. We haven't found a solution for it, because we are very beginners in Splunk, but when I compare the logformat with the transforms.conf, the order of the fields seems good.
... View more