000035234 - Unable to Capture Bluecoat Proxy Logs Properly in RSA Security Analytics 10.5+

Document created by RSA Customer Support Employee on Jun 21, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035234
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: SA Log Decoder
RSA Version/Condition: 10.5+
 
IssueThe following gibberish errors are noticed in the /var/log/messages on the logdecoder appliance when trying to send SYSLOG events from BlueCoat ProxySG SGOS:
 
May 25 04:25:48  NwLogDecoder[7733]: [SYSLOG] [warning] Unidentified content from xxx.xxx.xxx.xxx received on receiver: 
'X??!Q??,???4T???%D?^?rO?_?????%??=jU?D??/????X_?h_?a???71???(??]'????????1??Y"???{d?b$P?3??????/h{0C'

 
 
CauseThis happens when BlueCoat ProxySG SGOS is sending SYSLOG events in GZIP format.
ResolutionSpeak with BlueCoat admin and ask to log in to Blue Coat's admin page and change the parameter "Save the log file as:" to "text file" under "Upload Client" > "Transmission Parameters" as indicated below :
User-added image
 
NotesThis has already been reported to DOC team and in process of amending the Integration Guide for Blue Coat ProxySG SGOS

Attachments

    Outcomes