Highlighted
ei-arcsight Absent Member.
Absent Member.
716 views

Blue Coat SG Proxy Connector not parsing correctly

Jump to solution

We recently implemented a blue coat sg proxy connector but are having an issue with how it is parsing the events. Everything about an event is being parsed to the name field instead of being mapped to correct ArcSight fields.

  

  I modified the /etc/hosts file and added all the possible device names as they were being reported to arcsight.

  

  I also changed the usecustomsubagentlist value from false to true eg.

  agents[0].usecustomsubagentlist=true

  

  Has anyone else come across this issue with blue coat and how did you resolve it?

  

  The Blue Coat proxy is on version 6.2

  The connector is set to accept raw TCP syslog on port 10514

   The connector is also a software connector installed on a Linux box.

Thanks,

Eric


Labels (2)
0 Likes
Reply
1 Solution

Accepted Solutions
ghedge@castleve Super Contributor.
Super Contributor.

Re: Blue Coat SG Proxy Connector not parsing correctly

Jump to solution

You could try the file method to collect the logs. Look at the BlueCoatMultiServer connector doc but that doesn't support 6.2 either. It is my understanding that ArcSight will never support 6.2 with the out-of-the-box connectors. BlueCoat made some change to their log format in that version only.

The only other way would be to build a FlexConnector to parse the events correctly.

0 Likes
Reply
6 Replies
ghedge@castleve Super Contributor.
Super Contributor.

Re: Blue Coat SG Proxy Connector not parsing correctly

Jump to solution

BlueCoat 6.2 is not supported in the syslog connector. Take a look at the SmartConnector documentation -

https://protect724.arcsight.com/docs/DOC-2538

0 Likes
Reply
ei-arcsight Absent Member.
Absent Member.

Re: Blue Coat SG Proxy Connector not parsing correctly

Jump to solution

Gregory,

Thanks for replying. Yes I am aware 6.2 is not supported but this is the most stable version of blue coat and the customer will be reluctant to change. I am looking for a way to get it to parse the event data correctly.

Thanks,

Eric

0 Likes
Reply
ghedge@castleve Super Contributor.
Super Contributor.

Re: Blue Coat SG Proxy Connector not parsing correctly

Jump to solution

You could try the file method to collect the logs. Look at the BlueCoatMultiServer connector doc but that doesn't support 6.2 either. It is my understanding that ArcSight will never support 6.2 with the out-of-the-box connectors. BlueCoat made some change to their log format in that version only.

The only other way would be to build a FlexConnector to parse the events correctly.

0 Likes
Reply
ei-arcsight Absent Member.
Absent Member.

Re: Blue Coat SG Proxy Connector not parsing correctly

Jump to solution

Thanks Gregory, I will attempt your suggestions.

0 Likes
Reply
ei-arcsight Absent Member.
Absent Member.

Re: Blue Coat SG Proxy Connector not parsing correctly

Jump to solution

I took Gregory's suggestion to build a flex connector and I think I have it setup ok. Only problem I am having is I am not sure if I need to do more with the categorization file. I am still having the issue with all the event detail being displayed in the arcsight field "Name" but I believe it is working as I modified the device vendor and product fields but I did it wrong so no data was displayed . Anyone have an idea how I can get the fields to map correctly and move the event data from the name field to message field?

Thanks,

Eric

0 Likes
Reply
ei-arcsight Absent Member.
Absent Member.

Re: Blue Coat SG Proxy Connector not parsing correctly

Jump to solution

Gregory,

I tried the file method and it worked. There are some fields that did not map but not too bad. Thanks for the suggestions.

Eric

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.