Blue Coat Proxy SG Syslog FlexConnector

File uploaded by steve.miller@hpe.com on Jul 7, 2016
Version 1Show Document
  • View in full screen mode

Attached is a syslog subagent parser for Blue Coat Proxy SG. 

 

This has been developed in response to Blue Coats feature update to include syslog, as opposed to just file based logging.  The syslog based logging has been found to be richer.

 

Please note that:

 

  • This configuration file has been written to parse the event format pushed by Blue Coat Proxy SG version 6.6.3.2;
  • Field mappings are based on personal logic – these can be amended to best fit your environment and content;
  • The Regex includes the syslog header starting from the date – adjustments may be required if the source device is configured differently.

 

To use:

 

  1. Install a Syslog Daemon SmartConnector;
  2. Add the properties file to $ARCSIGHT_HOME/current/user/agent/flexagent/syslog;
  3. Restart the connector.

 

Suggested Troubleshooting:

 

  • Within agent.properties, amend both unparsedevents.log.enabled and usercustomsubagentlist to “=true”
  • Stop the SmartConnector and delete syslog.properties (located in $ARCSIGHT_HOME/current/user/agent) and restart the SmartConnector

Outcomes