Bluecoat ProxySG

Description

Constructor: Bluecoat

Product: Proxy Secure Gateway

Log type(s): PRX, SYS

Theoretical injector performance

18567 EPS

Log sample

Type PRX:

2017-02-10 12:34:56 1.2.3.4 DENIED 0 - 1486121632 440 0 1.0 0 http blugro2relay.groove.microsoft.com http://blugro2relay.groove.microsoft.com/2.0/blugro2relay.groove.microsoft.com/b523s8fvpp7ampixcy6wxp8zsn9nj5dbyqcddci,ConnType=LongLived 80 /2.0/blugro2relay.groove.microsoft.com/b523s8fvpp7ampixcy6wxp8zsn9nj5dbyqcddci,ConnType=LongLived  Unknown POST POST - 1.170.1.1 - -

2017-02-10 12:34:56 1.2.3.4 OBSERVED 0 TUNNELED 1486121314 126 51 - - ssl translate.googleapis.com ssl://translate.googleapis.com:443/ 443 /  1.1.47.33 56307 8080 - - - ICAP_NOT_SCANNED - Direct unknown - - 1.1.208.234 - -

Type SYS:

ProxySG: 420000 Logout[Bluecoat]ERR:Could not send Logout message(0) SEVERE_ERROR admin.cpp 713

ProxySG: 2C0006 Snapshot debug-stats has fetched /sysinfo-stats(0) NORMAL_EVENT snapshot_worker.cpp 236

ProxySG: 420001 Successfully connected to primary authentication agent for realm Bluecoat at 1.1.69.26:16101(0) NORMAL_EVENT admin.cpp 429

Parsing strategy

• First, we check the log type (e.g SYS or PRX) using grok. If the log starts with ProxySG: its type is SYS. Else it PRX.
• If the log type is SYS: Grok patterns are used.
• If the log type is PRX: a CSV operator is used. If, the log is malformed (some fields are missing, log too long, etc) an exception is raised. Then, all fields containing the value are dropped.
• Finally, a binding is made to respect the normalisation.