Blue Coat Proxy

Blue Coat ProxySG is a cloud-based product that provides users with web security. Connecting this event source to InsightIDR will enhance the security data for available for analysis.

Before You Begin

Blue Coat Security logs its data to a specific format, ELFF, which allows you to the define the order of fields of logged data. You can learn about how to define the field order at: https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/edge-swg/7-3/index/proxy-sg-log-fields-and-substitutions.html

In order for Blue Coat to work properly with the InsightIDR parser, please ensure that the following fields are at the front of the log like so: date time c-ip s-action sc-status cs-method cs-uri-scheme cs-uri cs(User-Agent) cs-bytes sc-bytes sc-filter-result x-cs-identusername x-cs-dns

If a valid hostname is not provided, the Provided Account and Provided Hostname fields will not be parsed.

You can add extra fields after the initial fields, which will not affect the parser.

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for Blue Coat ProxySG in the event sources search bar.
    • In the Product Type filter, select Web Proxy.
  3. Select the Blue Coat ProxySG event source tile.
  4. Choose your collector and event source. You can also name your event source if you want.
  5. Optionally choose to send unparsed logs.
  6. Choose the timezone that matches the location of your event source logs.
  7. Select a collection method and specify a port and a protocol.
    • Optionally choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
  8. Click Save.