When the PS people were on site they were not sure how to get FTP logs into SA. According to them it was not supported but I do not see how that would be possible, although it might be. Does anyone know how to get SFTP and FTP logs into SA?
I have a log collector running and a service for bluecoats.
SA rides on top of Centos; so, fairly easy to get the file over into the log collector via scp or sftp. If the BC files are compressed, make sure you uncompress them before dropping the files into the appropriate file reader directory location.
For BC, you are going to need the bluecoat_elff_tvm parser that only appears to work with the filereader method.
Please refer to the following documentation:
http://docs.netwitness.com/1-RSA_Security_Analytics_User_Guide/50_Administration_Module/1_The_Devices_View/3_Device_Config_View/Log_Collectors/2_Log_Collector_Event_Sources_Tab/01_File_Event_Source
Remember that the File Directory will reside on the Log Decoder appliance. To confirm just SSH into the appliance and cd into /var/netwitness/logcollector/upload and find the file read parser, in this case, it will be blue_coat_elff_tvm.
The subdirectory will be created off that branch of the directory tree.
Hope this information helps.
Cheers