Skip to main content

Symantec BlueCoat ProxySG

A component for on-premises deployment and web security.

Symantec Bluecoat ProxySG

This pack includes Cortex XSIAM content.

Configuration on Server Side

You need to configure Bluecoat ProxySG to forward Syslog messages with the access log 'main' format.

Go to the ProxySG software and open the "Configuration" tab Product Doc;

  1. From the left sidebar, navigate to Access Logging > Logs > Logs tab, and create a new log with the main format defined for it:

Server Screenshot

   date time time-taken c-ip sc-status s-action sc-bytes cs-bytes cs-method cs-uri-scheme cs-host cs-uri-port cs-uri-path cs-uri-query cs-username cs-auth-group s-supplier-name rs(Content-Type) cs(Referer) cs(User-Agent) sc-filter-result cs-categories x-virus-id s-ip
  1. Click the Upload Client tab and configure your log as follows:

    Field Value
    Client type Custom Client
    Save the log file as text file
  2. In the Custom Client Settings dialog box, point the Custom Client to the broker, specifying the IP address and port number.

  3. Click the Upload Schedule tab. Make sure that the Upload the access log option is marked as continuously.

  4. From the left sidebar, navigate to Policy > Visual Policy Manager

  5. Add a new Web Access Layer and create a rule with the Modify Access Logging action.

Server Screenshot

  1. In the Add Access Logging Object dialog box, enable logging for your new access log.

    Make sure the log is being written by going to Statistics > Access Logging > Select "MyLog" > Start Tail.

Server Screenshot

  • Pay attention: Timestamp parsing is configured for %Y-%m-%d %H:%M:%S format in UTC timezone.
    Follow the Product Instructions for selecting a timezone.

Collect Events from Vendor

In order to use the collector, use the Broker VM option.

Broker VM

To create or configure the Broker VM, use the information described here.

You can configure the specific vendor and product for this instance.

  1. Navigate to Settings > Configuration > Data Broker > Broker VMs.
  2. Right-click, and select Syslog Collector > Configure.
  3. When configuring the Syslog Collector, set the following values:
    • vendor as vendor - symantec
    • product as product - bluecoatproxysg

PUBLISHER

PLATFORMS

Cortex XSIAM

INFO

CertificationRead more
Supported ByCortex
CreatedDecember 15, 2022
Last ReleaseDecember 2, 2024

DISCLAIMER
Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.