Document toolboxDocument toolbox

proxy.bluecoat

Owned by Juan Tomás Alonso Nieto (Deactivated)
Last updated: Aug 23, 2023 by Borja Moro Moreno
1 min read
[ 1 Introduction ] [ 2 Valid tags and data tables  ] [ 3 Table structure ] [ 4 How is the data sent to Devo? ]

Introduction

The tags beginning with proxy.bluecoat identify events generated by Symantec ProxySG (formerly Proxy Blue Coat) belonging to Symantec.

Valid tags and data tables 

The full tag must have at least 4 levels. The first two are fixed as proxy.bluecoat. The third level identifies the type of events sent and the rest of them indicate the event subtypes.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Symantec ProxySG (formerly Proxy Blue Coat)

proxy.bluecoat.proxysg.bcreportermain_v1

proxy.bluecoat.proxysg.bcreportermain_v1

proxy.bluecoat.proxysg.leef

proxy.bluecoat.proxysg.leef

proxy.bluecoat.proxysg.main.kv

proxy.bluecoat.proxysg.main

proxy.bluecoat.proxysg.main.app

proxy.bluecoat.proxysg.main

For more information, read more about Devo tags.

Table structure

These are the fields displayed in these tables:

proxy.bluecoat.proxysg.bcreportermain_v1

Field

Type

Source field name

Extra fields

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

 

proxyHost

str

 

 

serverdate

timestamp

 

 

time_taken

str

 

 

c_ip

str

 

 

cs_username

str

 

 

cs_auth_group

str

 

 

x_exception_id

str

 

 

sc_filter_result

str

 

 

cs_categories

str

 

 

cs_referer

str

 

 

sc_status

str

 

 

s_action

str

 

 

cs_method

str

 

 

rs_content_type

str

 

 

cs_uri_scheme

str

 

 

cs_host

str

 

 

cs_uri_port

str

 

 

cs_uri_path

str

 

 

cs_uri_query

str

 

 

cs_uri_extension

str

 

 

cs_user_agent

str

 

 

s_ip

str

 

 

sc_bytes

str

 

 

cs_bytes

str

 

 

x_virus_id

str

 

 

x_bluecoat_application_name

str

 

 

x_bluecoat_application_operation

str

 

 

x_bluecoat_transaction_uuid

str

 

 

x_icap_reqmod_header_X_ICAP_Metadata

str

 

 

x_icap_respmod_header_X_ICAP_Metadata

str

 

 

hostchain

str

 

✓

tag

str

 

✓

rawMessage

str

rawSource

✓

proxy.bluecoat.proxysg.leef

Field

Type

Source field name

Extra fields

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

 

proxyHost

str

 

 

srcIp

ip4

 

 

srcPort

int4

 

 

dstIp

ip4

 

 

dstPort

int4

 

 

username

str

 

 

deviceTime

timestamp

 

 

sAction

str

 

 

scStatus

int4

 

 

csMethod

str

 

 

timeTaken

int4

 

 

scBytes

int8

 

 

csBytes

int8

 

 

csUriScheme

str

 

 

csHost

str

 

 

csUriQuery

str

 

 

csUriExtension

str

 

 

csAuthGroup

str

 

 

rsContentType

str

 

 

csUserAgent

str

 

 

csReferer

str

 

 

scFilterResult

str

 

 

filterCategory

str

 

 

sslBlueCoat

int4

 

 

csXForwardedFor

str

 

 

sSupplierName

ip4

 

 

xExceptionId

str

 

 

csCategories

str

 

 

serverIp

ip4

 

 

xVirusId

str

 

 

xBluecoatAppName

str

 

 

xBluecoatAppOp

str

 

 

xCsCertCN

str

 

 

xVirusDetails

str

 

 

xIcapErrorCode

str

 

 

xIcapErrorDetails

str

 

 

xBluecoatRefId

str

 

 

csCategorizationTime

int4

 

 

csUri

str

 

 

csUriPath

str

 

 

hostchain

str

 

✓

tag

str

 

✓

rawMessage

str

rawSource

✓

proxy.bluecoat.proxysg.main

Field

Type

Field Transformation

Source field name

Extra fields

Field

Type

Field Transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

proxyHost

str

 

 

 

serverdate

timestamp

ifthenelse(isnotnull(serverdatecomp), serverdatecomp, parsedate(serverdatedate, +' ' + serverdatetime, dateformat("DD/MM/YYYY HH:mm:ss")))

serverdatedate

serverdatecomp

serverdatetime

 

username

str

 

 

 

srcIp

ip4

 

 

 

srcPort

str

 

 

 

host

str

 

 

 

dstPort

int4

 

 

 

protocol

str

 

 

 

method

str

 

 

 

url

str

 

 

 

urlQuery

str

 

 

 

statusCode

int4

 

 

 

action

str

 

 

 

filterResult

str

 

 

 

categories

str

 

 

 

contentType

str

 

 

 

referer

str

 

 

 

userAgent

str

 

 

 

authGroup

str

 

 

 

supplier

str

 

 

 

serverIp

ip4

 

 

 

responseTime

int4

 

 

 

responseLength

int4

 

 

 

requestLength

int4

 

 

 

virusID

str

 

 

 

hostchain

str

 

 

✓

tag

str

 

 

✓

date

str

 

 

 

eventCode

str

 

 

 

event

str

 

 

 

failureCode

str

 

 

 

symbol

str

 

 

 

domain

str

 

 

 

reason

str

 

 

 

code

str

 

 

 

severity

str

 

 

 

app

str

 

 

 

messageCode

str

 

 

 

rawMessage

str

 

rawSource

 

How is the data sent to Devo?

Since there is no facility for applying the Devo tag in the source system, the events should be forwarded to a Devo Relay. 

Devo Relay rules

You need to define two relay rules as described below. It is important the rules run in the specified order on the relay - Rule 1 must come before Rule 2.

Rule 1:  Drop all events received on the port that start with #

  • Source Port → 13005

  • Source Data → ^#.*

  • Check the Stop Processing and Drop Event checkboxes

Rule 2:  Tag all other events received on the port as proxy.bluecoat.proxysg.main.

  • Source Port → 13005

  • Target Tag → proxy.bluecoat.proxysg.main

  • Check the Sent without syslog tag checkbox

Â