AnsweredAssumed Answered

Blue coat doesn't accept colon (:) in custom log format

Question asked by Sravan Koneti on Jun 30, 2017
Latest reply on Jun 30, 2017 by Sravan Koneti

Hi All,

 

We are trying to integrate Blue coat proxy using Blue Coat ProxySG SGOS Event Source Configuration Guide with syslog collection.

 

Unfortunately, we are receiving logs in below format:(Not parsed correctly as : symbol missing just after %CACHEFLOWELFF_syslog word)

 

%CACHEFLOWELFF_syslogdate="2017-06-30",time="08:15:55",time-taken="19",c-ip="1.6.2.3",s-action="TCP_DENIED",s-ip="11.6.2.3",s-supplier-name="-",s-sitename="SG-HTTP-Service",cs-user="-",cs-username="-",cs-auth-group="-",cs-categories="Technology/Internet",cs-method="CONNECT",cs-host="accounts.google.com",cs-uri="tcp://accounts.google.com:443/",cs-uri-scheme="tcp",cs-uri-port="443",cs-uri-path="/",cs-uri-query="-",cs-uri-extension="-",cs(Referer)="-",cs(User-Agent)="Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko",cs-bytes="314",sc-status="407",sc-bytes="222",sc-filter-result="DENIED",sc-filter-category="Technology/Internet",x-virus-id="-",x-exception-id="authentication_failed",rs(Content-Type)="-",duration="0",s-supplier-ip="-",cs(Cookie)="-",s-computername="xxx",s-port="6754",cs-uri-stem="tcp://accounts.google.com:443/",cs-version="HTTP/1.0"

 

The issue is Blue coat device custom log format does not accept : symbol as below Log format tab.

 

<133>%%CACHEFLOWELFF_syslog:date=\"$(date)\",time=\"$(time)\",time-taken=\"$(time-taken)\",c-ip=\"$(c-ip)\",s-action=\"$(s-action)\",s-ip=\"$(s-ip)\",s-supplier-name=\"$(s-supplier-name)\",s-sitename=\"$(s-sitename)\",cs-user=\"$(cs-user)\",cs-username=\"$(cs-username)\",cs-auth-group=\"$(cs-auth-group)\",cs-categories=$(cs-categories),cs-method=\"$(cs-method)\",cs-host=\"$(cs-host)\",cs-uri=\"$(cs-uri)\",cs-uri-scheme=\"$(cs-uri-scheme)\",cs-uri-port=\"$(cs-uri-port)\",cs-uri-path=\"$(cs-uri-path)\",cs-uri-query=\"$(cs-uri-query)\",cs-uri-extension=\"$(cs-uri-extension)\",cs(Referer)=\"$(cs(Referer))\",cs(User-Agent)=\"$(cs(User-Agent))\",cs-bytes=\"$(cs-bytes)\",sc-status=\"$(sc-status)\",sc-bytes=\"$(sc-bytes)\",sc-filter-result=\"$(sc-filter-result)\",sc-filter-category=\"$(sc-filter-category)\",x-virus-id=\"$(x-virus-id)\",x-exception-id=\"$(x-exception-id)\",rs(Content-Type)=\"$(rs(Content-Type))\",duration=\"$(duration)\",s-supplier-ip=\"$(s-supplier-ip)\",cs(Cookie)=\"$(cs(Cookie))\",s-computername=\"$(s-computername)\",s-port=\"$(s-port)\",cs-uri-stem=\"$(cs-uri-stem)\",cs-version=\"$(cs-version)\"

 

Blue coat device version is 6.2.13.1. Does anyone come across this issue? Please suggest if any workaround on this.

Outcomes