Symantec Bluecoat ProxySG
This pack includes Cortex XSIAM content.
Configuration on Server Side
You need to configure Bluecoat ProxySG to forward Syslog messages with the access log 'main' format.
Go to the ProxySG software and open the "Configuration" tab Product Doc;
- From the left sidebar, navigate to Access Logging > Logs > Logs tab, and create a new log with the
mainformat defined for it:
date time time-taken c-ip sc-status s-action sc-bytes cs-bytes cs-method cs-uri-scheme cs-host cs-uri-port cs-uri-path cs-uri-query cs-username cs-auth-group s-supplier-name rs(Content-Type) cs(Referer) cs(User-Agent) sc-filter-result cs-categories x-virus-id s-ipClick the Upload Client tab and configure your log as follows:
Field Value Client type Custom Client Save the log file as text file In the Custom Client Settings dialog box, point the Custom Client to the broker, specifying the IP address and port number.
Click the Upload Schedule tab. Make sure that the Upload the access log option is marked as continuously.
From the left sidebar, navigate to Policy > Visual Policy Manager
Add a new Web Access Layer and create a rule with the Modify Access Logging action.
In the Add Access Logging Object dialog box, enable logging for your new access log.
Make sure the log is being written by going to Statistics > Access Logging > Select "MyLog" > Start Tail.
- Pay attention: Timestamp parsing is configured for %Y-%m-%d %H:%M:%S format in UTC timezone.
Follow the Product Instructions for selecting a timezone.
Collect Events from Vendor
In order to use the collector, use the Broker VM option.
Broker VM
To create or configure the Broker VM, use the information described here.
You can configure the specific vendor and product for this instance.
- Navigate to Settings > Configuration > Data Broker > Broker VMs.
- Right-click, and select Syslog Collector > Configure.
- When configuring the Syslog Collector, set the following values:
- vendor as vendor - symantec
- product as product - bluecoatproxysg