FlexConnector: Failed Authentication on BlueCoat Proxy

0 Likes
over 8 years ago

Hi,

We get the failed authentication on proxy logs via syslog. Proxy is a Blue Coat. So I wrote this connector:

do.unparsed.events=true

regex=ProxySG: (2\\d ) Authentication failed from (\\d \\.\\d \\.\\d \\.\\d ): user '([^'] )'.*

#\w \d \d :\d :\d

#regex=\w \d \d :\d :\d \w : (2\d ) Authentication failed from (\d \.\d \.\d \.\d ): user '([^'] )'

token.count=3

token[0].name=Action_ID

token[0].type=String

token[1].name=Attacker_IP

token[1].type=IPAddress

token[2].name=User_Name

token[2].type=String

event.deviceReceiptTime=_SYSLOG_TIMESTAMP

event.deviceHostName=_SYSLOG_SENDER

event.deviceVendor=__stringConstant("Blue Coat")

event.deviceProduct=__stringConstant("Proxy SG")

event.deviceEventClassId=Action_ID

event.attackerAddress=Attacker_IP

event.attackerUserId=User_Name

event.name=__concatenate("Proxy Authentication failed: ",User_Name)

Comment List
Anonymous
Related Discussions
Recommended