proxy.bluecoat
Introduction
The tags beginning with proxy.bluecoat
identify events generated by Symantec ProxySG (formerly Proxy Blue Coat) belonging to Symantec.
Valid tags and data tablesÂ
The full tag must have at least 4 levels. The first two are fixed as proxy.bluecoat
. The third level identifies the type of events sent and the rest of them indicate the event subtypes.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
---|---|---|
Symantec ProxySG (formerly Proxy Blue Coat) |
|
|
|
| |
|
| |
| ||
|
For more information, read more about Devo tags.
Table structure
These are the fields displayed in these tables:
proxy.bluecoat.proxysg.bcreportermain_v1
Field | Type | Source field name | Extra fields |
---|---|---|---|
eventdate |
| Â | Â |
proxyHost |
| Â | Â |
serverdate |
| Â | Â |
time_taken |
| Â | Â |
c_ip |
| Â | Â |
cs_username |
| Â | Â |
cs_auth_group |
| Â | Â |
x_exception_id |
| Â | Â |
sc_filter_result |
| Â | Â |
cs_categories |
| Â | Â |
cs_referer |
| Â | Â |
sc_status |
| Â | Â |
s_action |
| Â | Â |
cs_method |
| Â | Â |
rs_content_type |
| Â | Â |
cs_uri_scheme |
| Â | Â |
cs_host |
| Â | Â |
cs_uri_port |
| Â | Â |
cs_uri_path |
| Â | Â |
cs_uri_query |
| Â | Â |
cs_uri_extension |
| Â | Â |
cs_user_agent |
| Â | Â |
s_ip |
| Â | Â |
sc_bytes |
| Â | Â |
cs_bytes |
| Â | Â |
x_virus_id |
| Â | Â |
x_bluecoat_application_name |
| Â | Â |
x_bluecoat_application_operation |
| Â | Â |
x_bluecoat_transaction_uuid |
| Â | Â |
x_icap_reqmod_header_X_ICAP_Metadata |
| Â | Â |
x_icap_respmod_header_X_ICAP_Metadata |
| Â | Â |
hostchain |
|  | ✓ |
tag |
|  | ✓ |
rawMessage |
| rawSource | ✓ |
proxy.bluecoat.proxysg.leef
Field | Type | Source field name | Extra fields |
---|---|---|---|
eventdate |
| Â | Â |
proxyHost |
| Â | Â |
srcIp |
| Â | Â |
srcPort |
| Â | Â |
dstIp |
| Â | Â |
dstPort |
| Â | Â |
username |
| Â | Â |
deviceTime |
| Â | Â |
sAction |
| Â | Â |
scStatus |
| Â | Â |
csMethod |
| Â | Â |
timeTaken |
| Â | Â |
scBytes |
| Â | Â |
csBytes |
| Â | Â |
csUriScheme |
| Â | Â |
csHost |
| Â | Â |
csUriQuery |
| Â | Â |
csUriExtension |
| Â | Â |
csAuthGroup |
| Â | Â |
rsContentType |
| Â | Â |
csUserAgent |
| Â | Â |
csReferer |
| Â | Â |
scFilterResult |
| Â | Â |
filterCategory |
| Â | Â |
sslBlueCoat |
| Â | Â |
csXForwardedFor |
| Â | Â |
sSupplierName |
| Â | Â |
xExceptionId |
| Â | Â |
csCategories |
| Â | Â |
serverIp |
| Â | Â |
xVirusId |
| Â | Â |
xBluecoatAppName |
| Â | Â |
xBluecoatAppOp |
| Â | Â |
xCsCertCN |
| Â | Â |
xVirusDetails |
| Â | Â |
xIcapErrorCode |
| Â | Â |
xIcapErrorDetails |
| Â | Â |
xBluecoatRefId |
| Â | Â |
csCategorizationTime |
| Â | Â |
csUri |
| Â | Â |
csUriPath |
| Â | Â |
hostchain |
|  | ✓ |
tag |
|  | ✓ |
rawMessage |
| rawSource | ✓ |
proxy.bluecoat.proxysg.main
Field | Type | Field Transformation | Source field name | Extra fields |
---|---|---|---|---|
eventdate |
| Â | Â | Â |
proxyHost |
| Â | Â | Â |
serverdate |
| ifthenelse(isnotnull(serverdatecomp), serverdatecomp, parsedate(serverdatedate, +' ' + serverdatetime, dateformat("DD/MM/YYYY HH:mm:ss"))) | serverdatedate serverdatecomp serverdatetime | Â |
username |
| Â | Â | Â |
srcIp |
| Â | Â | Â |
srcPort |
| Â | Â | Â |
host |
| Â | Â | Â |
dstPort |
| Â | Â | Â |
protocol |
| Â | Â | Â |
method |
| Â | Â | Â |
url |
| Â | Â | Â |
urlQuery |
| Â | Â | Â |
statusCode |
| Â | Â | Â |
action |
| Â | Â | Â |
filterResult |
| Â | Â | Â |
categories |
| Â | Â | Â |
contentType |
| Â | Â | Â |
referer |
| Â | Â | Â |
userAgent |
| Â | Â | Â |
authGroup |
| Â | Â | Â |
supplier |
| Â | Â | Â |
serverIp |
| Â | Â | Â |
responseTime |
| Â | Â | Â |
responseLength |
| Â | Â | Â |
requestLength |
| Â | Â | Â |
virusID |
| Â | Â | Â |
hostchain |
|  |  | ✓ |
tag |
|  |  | ✓ |
date |
| Â | Â | Â |
eventCode |
| Â | Â | Â |
event |
| Â | Â | Â |
failureCode |
| Â | Â | Â |
symbol |
| Â | Â | Â |
domain |
| Â | Â | Â |
reason |
| Â | Â | Â |
code |
| Â | Â | Â |
severity |
| Â | Â | Â |
app |
| Â | Â | Â |
messageCode |
| Â | Â | Â |
rawMessage |
| Â | rawSource | Â |
How is the data sent to Devo?
Since there is no facility for applying the Devo tag in the source system, the events should be forwarded to a Devo Relay.Â
Devo Relay rules
You need to define two relay rules as described below. It is important the rules run in the specified order on the relay - Rule 1 must come before Rule 2.
Rule 1:Â Drop all events received on the port that start with #
Source Port → 13005
Source Data → ^#.*
Check the Stop Processing and Drop Event checkboxes
Rule 2:  Tag all other events received on the port as proxy.bluecoat.proxysg.main.
Source Port → 13005
Target Tag → proxy.bluecoat.proxysg.main
Check the Sent without syslog tag checkbox
Â