FlexConnector: Failed Authentication on BlueCoat Proxy

Document created by manuel.g on Aug 30, 2012Last modified by manuel.g on Aug 30, 2012
Version 3Show Document
  • View in full screen mode

Hi,

 

We get the failed authentication on proxy logs via syslog. Proxy is a Blue Coat. So I wrote this connector:

 

do.unparsed.events=true
regex=ProxySG: (2\\d+) Authentication failed from (\\d+\\.\\d+\\.\\d+\\.\\d+): user '([^']+)'.*
#\w+ \d+ \d+:\d+:\d+
#regex=\w+ \d+ \d+:\d+:\d+ \w+: (2\d+) Authentication failed from (\d+\.\d+\.\d+\.\d+): user '([^']+)'
token.count=3
token[0].name=Action_ID
token[0].type=String
token[1].name=Attacker_IP
token[1].type=IPAddress
token[2].name=User_Name
token[2].type=String


event.deviceReceiptTime=_SYSLOG_TIMESTAMP
event.deviceHostName=_SYSLOG_SENDER
event.deviceVendor=__stringConstant("Blue Coat")
event.deviceProduct=__stringConstant("Proxy SG")
event.deviceEventClassId=Action_ID
event.attackerAddress=Attacker_IP
event.attackerUserId=User_Name
event.name=__concatenate("Proxy Authentication failed: ",User_Name)


Outcomes