Attached is a syslog subagent parser for Blue Coat Proxy SG.
This has been developed in response to Blue Coats feature update to include syslog, as opposed to just file based logging. The syslog based logging has been found to be richer.
Please note that:
- This configuration file has been written to parse the event format pushed by Blue Coat Proxy SG version 220.127.116.11;
- Field mappings are based on personal logic – these can be amended to best fit your environment and content;
- The Regex includes the syslog header starting from the date – adjustments may be required if the source device is configured differently.
- Install a Syslog Daemon SmartConnector;
- Add the properties file to $ARCSIGHT_HOME/current/user/agent/flexagent/syslog;
- Restart the connector.
- Within agent.properties, amend both unparsedevents.log.enabled and usercustomsubagentlist to “=true”
- Stop the SmartConnector and delete syslog.properties (located in $ARCSIGHT_HOME/current/user/agent) and restart the SmartConnector