RSA Security Analytics Event Source Log Configuration Guide Blue Coat ProxySG SGOS Last Modified: Friday, October 31, 2014 Event Source Product Information: Vendor: Blue Coat Systems Event Source: SGOS (Security Gateway Appliance) Versions: 4.1, 4.2, 4.3, 5.1, 5.2,5.3, 5.4, 5.4.1.12, 5.4.3.2, 5.4.3.7, 5.4.6.1, 5.5.1.1, 5.5.5.1, 6.1.1.1, 6.1.3.1, 6.1.4.1., 6.2.x, 6.4.4.1, 6.3.5.1, 6.5.3.6, 6.5.4.4 RSA Product Information: Supported On: Security Analytics 10.0 and later Event Source Log Parsers: cacheflowelff Collection Method: File, Syslog Event Source Class.Subclass: Host.Web Logs Event Source Log Configuration Guide To configure Blue Coat SGOS to work with RSA Security Analytics, you must complete the following tasks: I. Set up the SFTP agent II. Set up the File Service III. Enable logging on SGOS IV. Configure the FTP upload on Blue Coat SGOS Set Up the SFTP Agent To set up the SFTP Agent Collector on the RSA Security Analytics platform, visit the Security Analytics (SA) help and search for the help topic Install and Update SFTP Agent. Set Up the File Service To configure File Event Sources, visit the Security Analytics (SA) help and search for the help topic Configure File Event Sources. Note: Select cacheflowelff from the Available Event Source Types dialog. 2 Event Source Log Configuration Guide Enable Logging on Blue Coat ProxySG Due to the length of some message fields, such as Cookies, URI, and URI-path, RSA Security Analytics may discover log messages as unknown. To enable access logging on Blue Coat ProxySG: 1. Open a browser and log on to the Blue Coat ProxySG appliance with administrative credentials. 2. On the Configuration tab, in the navigation pane, click Access Logging > Formats. 3. Click New. 4. In the Format Name field, type NIC_Format. 5. Depending on the file reader type that you selected when setting up the NIC File Reader Service, do one of the following: l l If you selected Blue Coat or Blue Coat ELFF, select Custom format string. If you selected Bluecoat_ELFF_TVM, select Extended Log File Format string. 6. Depending on the task that you want to accomplish, in the field next to Test Format, do one of the following: Changing the fields, the format, or the number of field results can produce unknown messages or unknown device discovery. l To return the hostname of the upstream host, type the following: >%g %e %a %w/%s %b %m %u %H/%d %c %p %B %I %P %T %V %D %L %i %U where %d returns the hostname of the upstream host. l To return the hostname from the client's request URL, type the following: %g %e %a %w/%s %b %m %u %H/%v %c %p %B %I %P %T %V %D %L %i %U where %v returns the hostname from the client’s request URL. If URL rewrite policies are used, the value in this field is derived from the log URL. l To return events using ELFF (for version 4.x), type the following: date time time-taken c-ip s-action sc-status sc-bytes cs-method cs-username s-hierarchy cs-host rs(Content-Type) cs-uri-port cs-bytes s-ip cs-uri-scheme duration s-supplier-ip cs-auth-group s-supplier-name sc-filter-result sc-filter-category cs(User-Agent) x-virus-id s-sitename cs-uri cs-uri-path l To return events using ELFF (for version 5.x or 6.x), type the following: Enable Logging on Blue Coat ProxySG 3 Event Source Log Configuration Guide date time time-taken c-ip s-action sc-status sc-bytes cs-method cs-user s-hierarchy cs-host rs(Content-Type) cs-uri-port cs-bytes s-ip cs-uri-scheme duration s-supplier-ip cs-auth-group s-supplier-name sc-filter-result sc-filter-category cs(User-Agent) x-virus-id s-sitename cs-uri cs-uri-path l To return events using ELFF (for version 5.x or 6.x) for Content 2.0, type the following: date time time-taken c-ip s-action s-ip s-hierarchy s-suppliername s-sitename cs-user cs-username cs-auth-group cs-categories cs-method cs-host cs-uri cs-uri-scheme cs-uri-port cs-uri-path cs-uri-query cs-uri-extension cs(Referer) cs(User-Agent) cs-bytes sc-status sc-bytes sc-filter-result sc-filter-category x-virus-id x-exception-id rs(Content-Type) duration s-supplier-ip cs(Cookie) s-computername s-port cs-uri-stem cs-version 7. Click OK, and to confirm the changes, click Apply. 8. In the navigation pane, click Access Logging > Logs. 9. Click New, and follow these steps: a. In the Log Name field, type NIC_Format. b. From the drop-down list, select NIC_Format. c. In the description box, type NIC Custom Format. d. Click OK, and to confirm the changes, click Apply. 10. On the General Settings tab, for each Default Logging Policy that you want to send to the Security Analytics, from the Log and Log Format drop-down lists, select NIC_Format. Do not select NIC_Format if you want to use one of the current default logging policies, such as main or im. 11. To confirm the changes, click Apply. To enable event logging on the SGOS event source: 1. To enable DNS logging, follow these steps: a. Click the Configuration tab. b. From the navigation menu, select Policy > Visual Policy Manager > Launch. c. Click Policy > Add DNS Access Layer, and enter a name for the DNS Access Layer. d. Right-click anywhere in the Track column, and select Set. e. Click New > Event Log. f. In the Add Event Log Object window, in the Name field, type EventLogDNS. g. In the Message Text field, type the following: 4 Enable Logging on Blue Coat ProxySG Event Source Log Configuration Guide BlueCoat-DNS: client_ address=$(quot)$(client.address)$(quot),client_ transport=$(quot)$(dns.client_ transport)$(quot),request_ address=$(quot)$(dns.request.address)$(quot),request_ class=$(quot)$(dns.request.class)$(quot),request_ name=$(quot)$(dns.request.name)$(quot),request_ opcode=$(quot)$(dns.request.opcode)$(quot),request_ type=$(quot)$(dns.request.type)$(quot),response_ a=$(quot)$(dns.response.a)$(quot),response_ cname=$(quot)$(dns.response.cname)$(quot),response_ code=$(quot)$(dns.response.code)$(quot),response_ ptr=$(quot)$(dns.response.ptr)$(quot) h. Click OK and click OK again. i. To install the new DNS policy and enable logging of DNS traffic, click Install Policy. 2. To enable SSL logging, follow these steps: a. Click the Configuration tab. b. From the navigation menu, select Policy > Visual Policy Manager > Launch. c. Click Policy > Add SSL Access Layer, and enter a name for the SSL Access Layer. d. Right-click anywhere in the Track column, and select Set. e. Click New > Event Log. f. In the Add Event Log Object window, in the Name field, type EventLogSSL. g. In the Message Text field, type the following: BlueCoat-SSL: $(date),$(time),$(timetaken),c_ip=$(quot)$(cip)$(quot),action=$(quot)$(saction)$(quot),s_cert_status=$(quot)$(xrs-certificate-validate-status)$(quot),s_ cert_errors=$(quot)$(x-rs-certificateobserved-errors)$(quot),c_ocsp_ error=$(quot)$(x-cs-ocsp-error)$(quot),s_ Enable Logging on Blue Coat ProxySG 5 Event Source Log Configuration Guide http_version=$(quot)$(x-rs-httpversion)$(quot),host=$(quot)$(cshost)$(quot),hierarchy=$(quot)$(shierarchy)$(quot),supplier_ name=$(quot)$(s-supplier-name)$(quot),s_ ssl_version=$(quot)$(x-rs-connectionnegotiated-ssl-version)$(quot),s_ cipher=$(quot)$(x-rs-connectionnegotiated-cipher)$(quot),s_cipher_ size=$(quot)$(x-rs-connection-negotiatedcipher-size)$(quot),s_cert_ host=$(quot)$(x-rs-certificatehostname)$(quot),s_cert_host_ category=$(quot)$(x-rs-certificatehostname-category)$(quot),c_ssl_ version=$(quot)$(x-cs-connectionnegotiated-ssl-version)$(quot),c_ cipher=$(quot)$(x-cs-connectionnegotiated-cipher)$(quot),c_cipher_ size=$(quot)$(x-cs-connection-negotiatedcipher-size)$(quot),c_cert_ subject=$(quot)$(x-cs-certificatesubject)$(quot),s_ip=$(quot)$(sip)$(quot),s_sitename=$(quot)$(ssitename)$(quot) h. Click OK, and click OK again. i. Click Policy > Add SSL Intercept Layer., and enter a name for the SSL Intercept Layer j. Right-click anywhere in the Track column, and select Set. k. Double-click the EventLogSSL variable. l. In the Message Text field, type the following: BlueCoat-SSL: $(date),$(time),$(timetaken),c_ip=$(quot)$(cip)$(quot),action=$(quot)$(saction)$(quot),s_cert_status=$(quot)$(xrs-certificate-validate-status)$(quot),s_ cert_errors=$(quot)$(x-rs-certificateobserved-errors)$(quot),c_ocsp_ error=$(quot)$(x-cs-ocsp-error)$(quot),s_ http_version=$(quot)$(x-rs-httpversion)$(quot),host=$(quot)$(cshost)$(quot),hierarchy=$(quot)$(s- 6 Enable Logging on Blue Coat ProxySG Event Source Log Configuration Guide hierarchy)$(quot),supplier_ name=$(quot)$(s-supplier-name)$(quot),s_ ssl_version=$(quot)$(x-rs-connectionnegotiated-ssl-version)$(quot),s_ cipher=$(quot)$(x-rs-connectionnegotiated-cipher)$(quot),s_cipher_ size=$(quot)$(x-rs-connection-negotiatedcipher-size)$(quot),s_cert_ host=$(quot)$(x-rs-certificatehostname)$(quot),s_cert_host_ category=$(quot)$(x-rs-certificatehostname-category)$(quot),c_ssl_ version=$(quot)$(x-cs-connectionnegotiated-ssl-version)$(quot),c_ cipher=$(quot)$(x-cs-connectionnegotiated-cipher)$(quot),c_cipher_ size=$(quot)$(x-cs-connection-negotiatedcipher-size)$(quot),c_cert_ subject=$(quot)$(x-cs-certificatesubject)$(quot),s_ip=$(quot)$(sip)$(quot),s_sitename=$(quot)$(ssitename)$(quot) m. Click OK and click OK again.. n. To install the new SSL policies and enable logging of SSL traffic, click Install Policy. 3. To enabling event logging, follow these steps: a. Click the Maintenance tab. b. From the navigation menu, click Event Logging. c. Click the Syslog tab. d. In the Loghost field, enter the host IP address of your Security Analytics Log Decoder or Remote Log Collector. e. Ensure that Enable syslog is selected. f. Click Apply. g. Click the Level tab, and ensure that all the event logging levels are selected. h. Click Apply. (Optional) To export the ELFF logs to both the Security Analytics and Blue Coat Reporter simultaneously: 1. Open a browser and log on to the BlueCoat ProxySG appliance with administrative credentials. 2. Click the Configuration tab. Enable Logging on Blue Coat ProxySG 7 Event Source Log Configuration Guide 3. From the navigation pane, click Policy > Visual Policy Manager. 4. Click Launch. 5. Under the Source column, locate Any. In the Any row, right-click the corresponding value under the Action column, and select Set. 6. To create access logging objects, in the Set Action Object window, follow these steps: a. Click New, and from the list, select Modify Access Logging. b. Ensure that Enable logging to is selected, and from the drop-down list, select NIC_Format. c. Click OK. d. Repeat steps a to c to create a second access logging object. e. Click New, and select Combined Action Object. f. In the Add Combined Action Object window, select Allow, and select both of the access logging objects that you created. g. Click Add, and click OK. Copyright © 2014 EMC Corporation. All Rights Reserved. Trademarks RSA, the RSA Logo and EMC are either registered trademarks or trademarks of EMC Corporation in the United States and/or other countries. All other trademarks used herein are the property of their respective owners. For a list of RSA trademarks, go to www.rsa.com/legal/trademarks_list.pdf. Published in the USA. 8 Enable Logging on Blue Coat ProxySG
© Copyright 2024