RSA Security Analytics Blue Coat ProxySG SGOS Event Source Log Configuration Guide

RSA Security Analytics
Event Source Log Configuration Guide
Blue Coat ProxySG SGOS
Last Modified: Friday, October 31, 2014
Event Source Product Information:
Vendor: Blue Coat Systems
Event Source: SGOS (Security Gateway Appliance)
Versions: 4.1, 4.2, 4.3, 5.1, 5.2,5.3, 5.4, 5.4.1.12, 5.4.3.2, 5.4.3.7, 5.4.6.1,
5.5.1.1, 5.5.5.1, 6.1.1.1, 6.1.3.1, 6.1.4.1., 6.2.x, 6.4.4.1, 6.3.5.1, 6.5.3.6, 6.5.4.4
RSA Product Information:
Supported On: Security Analytics 10.0 and later
Event Source Log Parsers: cacheflowelff
Collection Method: File, Syslog
Event Source Class.Subclass: Host.Web Logs
Event Source Log Configuration Guide
To configure Blue Coat SGOS to work with RSA Security Analytics, you must
complete the following tasks:
I. Set up the SFTP agent
II. Set up the File Service
III. Enable logging on SGOS
IV. Configure the FTP upload on Blue Coat SGOS
Set Up the SFTP Agent
To set up the SFTP Agent Collector on the RSA Security Analytics platform, visit
the Security Analytics (SA) help and search for the help topic Install and Update
SFTP Agent.
Set Up the File Service
To configure File Event Sources, visit the Security Analytics (SA) help and search
for the help topic Configure File Event Sources.
Note: Select cacheflowelff from the Available Event Source Types dialog.
2
Event Source Log Configuration Guide
Enable Logging on Blue Coat ProxySG
Due to the length of some message fields, such as Cookies, URI, and URI-path,
RSA Security Analytics may discover log messages as unknown.
To enable access logging on Blue Coat ProxySG:
1. Open a browser and log on to the Blue Coat ProxySG appliance with
administrative credentials.
2. On the Configuration tab, in the navigation pane, click Access Logging >
Formats.
3. Click New.
4. In the Format Name field, type NIC_Format.
5. Depending on the file reader type that you selected when setting up the NIC
File Reader Service, do one of the following:
l
l
If you selected Blue Coat or Blue Coat ELFF, select Custom format
string.
If you selected Bluecoat_ELFF_TVM, select Extended Log File Format
string.
6. Depending on the task that you want to accomplish, in the field next to Test
Format, do one of the following:
Changing the fields, the format, or the number of field results can produce
unknown messages or unknown device discovery.
l
To return the hostname of the upstream host, type the following:
>%g %e %a %w/%s %b %m %u %H/%d %c %p %B %I %P %T %V %D %L %i %U
where %d returns the hostname of the upstream host.
l
To return the hostname from the client's request URL, type the following:
%g %e %a %w/%s %b %m %u %H/%v %c %p %B %I %P %T %V %D %L %i %U
where %v returns the hostname from the client’s request URL. If URL
rewrite policies are used, the value in this field is derived from the log URL.
l
To return events using ELFF (for version 4.x), type the following:
date time time-taken c-ip s-action sc-status sc-bytes cs-method
cs-username s-hierarchy cs-host rs(Content-Type)
cs-uri-port cs-bytes s-ip cs-uri-scheme duration s-supplier-ip
cs-auth-group s-supplier-name sc-filter-result
sc-filter-category cs(User-Agent) x-virus-id s-sitename cs-uri
cs-uri-path
l
To return events using ELFF (for version 5.x or 6.x), type the following:
Enable Logging on Blue Coat ProxySG
3
Event Source Log Configuration Guide
date time time-taken c-ip s-action sc-status sc-bytes cs-method
cs-user s-hierarchy cs-host rs(Content-Type)
cs-uri-port cs-bytes s-ip cs-uri-scheme duration s-supplier-ip
cs-auth-group s-supplier-name sc-filter-result
sc-filter-category cs(User-Agent) x-virus-id s-sitename cs-uri
cs-uri-path
l
To return events using ELFF (for version 5.x or 6.x) for Content 2.0, type the
following:
date time time-taken c-ip s-action s-ip s-hierarchy s-suppliername s-sitename cs-user cs-username cs-auth-group cs-categories
cs-method cs-host cs-uri cs-uri-scheme cs-uri-port cs-uri-path
cs-uri-query cs-uri-extension cs(Referer) cs(User-Agent) cs-bytes
sc-status sc-bytes sc-filter-result sc-filter-category x-virus-id
x-exception-id rs(Content-Type) duration s-supplier-ip cs(Cookie)
s-computername s-port cs-uri-stem cs-version
7. Click OK, and to confirm the changes, click Apply.
8. In the navigation pane, click Access Logging > Logs.
9. Click New, and follow these steps:
a. In the Log Name field, type NIC_Format.
b. From the drop-down list, select NIC_Format.
c. In the description box, type NIC Custom Format.
d. Click OK, and to confirm the changes, click Apply.
10. On the General Settings tab, for each Default Logging Policy that you want to
send to the Security Analytics, from the Log and Log Format drop-down lists,
select NIC_Format. Do not select NIC_Format if you want to use one of the
current default logging policies, such as main or im.
11. To confirm the changes, click Apply.
To enable event logging on the SGOS event source:
1. To enable DNS logging, follow these steps:
a. Click the Configuration tab.
b. From the navigation menu, select Policy > Visual Policy Manager >
Launch.
c. Click Policy > Add DNS Access Layer, and enter a name for the
DNS Access Layer.
d. Right-click anywhere in the Track column, and select Set.
e. Click New > Event Log.
f. In the Add Event Log Object window, in the Name field, type
EventLogDNS.
g. In the Message Text field, type the following:
4
Enable Logging on Blue Coat ProxySG
Event Source Log Configuration Guide
BlueCoat-DNS: client_
address=$(quot)$(client.address)$(quot),client_
transport=$(quot)$(dns.client_
transport)$(quot),request_
address=$(quot)$(dns.request.address)$(quot),request_
class=$(quot)$(dns.request.class)$(quot),request_
name=$(quot)$(dns.request.name)$(quot),request_
opcode=$(quot)$(dns.request.opcode)$(quot),request_
type=$(quot)$(dns.request.type)$(quot),response_
a=$(quot)$(dns.response.a)$(quot),response_
cname=$(quot)$(dns.response.cname)$(quot),response_
code=$(quot)$(dns.response.code)$(quot),response_
ptr=$(quot)$(dns.response.ptr)$(quot)
h. Click OK and click OK again.
i. To install the new DNS policy and enable logging of DNS traffic, click
Install Policy.
2. To enable SSL logging, follow these steps:
a. Click the Configuration tab.
b. From the navigation menu, select Policy > Visual Policy Manager >
Launch.
c. Click Policy > Add SSL Access Layer, and enter a name for the
SSL Access Layer.
d. Right-click anywhere in the Track column, and select Set.
e. Click New > Event Log.
f. In the Add Event Log Object window, in the Name field, type
EventLogSSL.
g. In the Message Text field, type the following:
BlueCoat-SSL: $(date),$(time),$(timetaken),c_ip=$(quot)$(cip)$(quot),action=$(quot)$(saction)$(quot),s_cert_status=$(quot)$(xrs-certificate-validate-status)$(quot),s_
cert_errors=$(quot)$(x-rs-certificateobserved-errors)$(quot),c_ocsp_
error=$(quot)$(x-cs-ocsp-error)$(quot),s_
Enable Logging on Blue Coat ProxySG
5
Event Source Log Configuration Guide
http_version=$(quot)$(x-rs-httpversion)$(quot),host=$(quot)$(cshost)$(quot),hierarchy=$(quot)$(shierarchy)$(quot),supplier_
name=$(quot)$(s-supplier-name)$(quot),s_
ssl_version=$(quot)$(x-rs-connectionnegotiated-ssl-version)$(quot),s_
cipher=$(quot)$(x-rs-connectionnegotiated-cipher)$(quot),s_cipher_
size=$(quot)$(x-rs-connection-negotiatedcipher-size)$(quot),s_cert_
host=$(quot)$(x-rs-certificatehostname)$(quot),s_cert_host_
category=$(quot)$(x-rs-certificatehostname-category)$(quot),c_ssl_
version=$(quot)$(x-cs-connectionnegotiated-ssl-version)$(quot),c_
cipher=$(quot)$(x-cs-connectionnegotiated-cipher)$(quot),c_cipher_
size=$(quot)$(x-cs-connection-negotiatedcipher-size)$(quot),c_cert_
subject=$(quot)$(x-cs-certificatesubject)$(quot),s_ip=$(quot)$(sip)$(quot),s_sitename=$(quot)$(ssitename)$(quot)
h. Click OK, and click OK again.
i. Click Policy > Add SSL Intercept Layer., and enter a name for the
SSL Intercept Layer
j. Right-click anywhere in the Track column, and select Set.
k. Double-click the EventLogSSL variable.
l. In the Message Text field, type the following:
BlueCoat-SSL: $(date),$(time),$(timetaken),c_ip=$(quot)$(cip)$(quot),action=$(quot)$(saction)$(quot),s_cert_status=$(quot)$(xrs-certificate-validate-status)$(quot),s_
cert_errors=$(quot)$(x-rs-certificateobserved-errors)$(quot),c_ocsp_
error=$(quot)$(x-cs-ocsp-error)$(quot),s_
http_version=$(quot)$(x-rs-httpversion)$(quot),host=$(quot)$(cshost)$(quot),hierarchy=$(quot)$(s-
6
Enable Logging on Blue Coat ProxySG
Event Source Log Configuration Guide
hierarchy)$(quot),supplier_
name=$(quot)$(s-supplier-name)$(quot),s_
ssl_version=$(quot)$(x-rs-connectionnegotiated-ssl-version)$(quot),s_
cipher=$(quot)$(x-rs-connectionnegotiated-cipher)$(quot),s_cipher_
size=$(quot)$(x-rs-connection-negotiatedcipher-size)$(quot),s_cert_
host=$(quot)$(x-rs-certificatehostname)$(quot),s_cert_host_
category=$(quot)$(x-rs-certificatehostname-category)$(quot),c_ssl_
version=$(quot)$(x-cs-connectionnegotiated-ssl-version)$(quot),c_
cipher=$(quot)$(x-cs-connectionnegotiated-cipher)$(quot),c_cipher_
size=$(quot)$(x-cs-connection-negotiatedcipher-size)$(quot),c_cert_
subject=$(quot)$(x-cs-certificatesubject)$(quot),s_ip=$(quot)$(sip)$(quot),s_sitename=$(quot)$(ssitename)$(quot)
m. Click OK and click OK again..
n. To install the new SSL policies and enable logging of SSL traffic, click
Install Policy.
3. To enabling event logging, follow these steps:
a. Click the Maintenance tab.
b. From the navigation menu, click Event Logging.
c. Click the Syslog tab.
d. In the Loghost field, enter the host IP address of your Security Analytics
Log Decoder or Remote Log Collector.
e. Ensure that Enable syslog is selected.
f. Click Apply.
g. Click the Level tab, and ensure that all the event logging levels are selected.
h. Click Apply.
(Optional) To export the ELFF logs to both the Security Analytics and Blue Coat
Reporter simultaneously:
1. Open a browser and log on to the BlueCoat ProxySG appliance with
administrative credentials.
2. Click the Configuration tab.
Enable Logging on Blue Coat ProxySG
7
Event Source Log Configuration Guide
3. From the navigation pane, click Policy > Visual Policy Manager.
4. Click Launch.
5. Under the Source column, locate Any. In the Any row, right-click the
corresponding value under the Action column, and select Set.
6. To create access logging objects, in the Set Action Object window, follow these
steps:
a. Click New, and from the list, select Modify Access Logging.
b. Ensure that Enable logging to is selected, and from the drop-down list,
select NIC_Format.
c. Click OK.
d. Repeat steps a to c to create a second access logging object.
e. Click New, and select Combined Action Object.
f. In the Add Combined Action Object window, select Allow, and select both
of the access logging objects that you created.
g. Click Add, and click OK.
Copyright © 2014 EMC Corporation. All Rights Reserved.
Trademarks
RSA, the RSA Logo and EMC are either registered trademarks or trademarks of EMC Corporation in the
United States and/or other countries. All other trademarks used herein are the property of their respective
owners. For a list of RSA trademarks, go to www.rsa.com/legal/trademarks_list.pdf. Published in the
USA.
8
Enable Logging on Blue Coat ProxySG