NTC Absent Member.
Absent Member.
363 views

BlueCoat Event volume and Use Cases

Jump to solution

Hi,

i wonder if you ave deployed the Bluecoat smartconnector, and how it is operating in a large environment.

I am testing the bluecoat logs, and found the volume is about 23 Million events per day and  zip log files sizes are about 10GB per day,

I expect this will add a fair amount of load to the ESM server as well as the storage.

I am looking for best practices to deploy the bluecoat smartconnector in large environemnt, as we all some useful use cases related to Bluecoat.

I appreciate if you could share your experience.

Regards

Suheil 

Labels (2)
0 Likes
1 Solution

Accepted Solutions
Micro Focus Expert
Micro Focus Expert

Re: BlueCoat Event volume and Use Cases

Jump to solution

You should take into account what the intended use cases for these events will be.

- There is a BlueCoat connector for Syslog, and one that uses files that are received via ftp in batches. Do you need real-time correlation using BlueCoat, or is the batch latency acceptable for your use case?

- What do you want to do with the data? If you want to report on overall activity, take a good look at which parts of the BlueCoat events are indexed. Possibly implement some creative map files to have the connectors do some more of the parsing for you, if needed, instead of having ESM do that work.

- Consider the use of Trends for reporting due to the large volume of events.

- Use Cases that I have seen: Top Users, Top Domains, Top Traffic Types, Top Sources, Bandwidth Reporting, etc.

0 Likes
1 Reply
Micro Focus Expert
Micro Focus Expert

Re: BlueCoat Event volume and Use Cases

Jump to solution

You should take into account what the intended use cases for these events will be.

- There is a BlueCoat connector for Syslog, and one that uses files that are received via ftp in batches. Do you need real-time correlation using BlueCoat, or is the batch latency acceptable for your use case?

- What do you want to do with the data? If you want to report on overall activity, take a good look at which parts of the BlueCoat events are indexed. Possibly implement some creative map files to have the connectors do some more of the parsing for you, if needed, instead of having ESM do that work.

- Consider the use of Trends for reporting due to the large volume of events.

- Use Cases that I have seen: Top Users, Top Domains, Top Traffic Types, Top Sources, Bandwidth Reporting, etc.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.