Blue Coat SG
The IBM QRadar DSM for Blue Coat SG collects events from Blue Coat SG appliances.
The following table lists the specifications for the Blue Coat SG DSM:
Specification | Value |
---|---|
Manufacturer | Blue Coat |
DSM name | Blue Coat SG Appliance |
RPM file name | DSM-BlueCoatProxySG-Qradar_version-build_number.noarch.rpm |
Supported versions | SG v4.x and later |
Protocol | Syslog Log File Protocol |
Recorded event types | All events |
Automatically discovered? | No |
Includes identity? | No |
Includes custom properties? | Yes |
More information | Blue Coat website (http://www.bluecoat.com) |
To send events from Blue Coat SG to QRadar, complete the following steps:
- If automatic updates are not enabled, download and install the most recent version of the Blue Coat SG DSM RPM from the IBM® Support Website (https://www.ibm.com/support/fixcentral) onto your QRadar Console.
- Configure your Blue Coat SG device to communicate with QRadar. Complete the following steps:
- Create a custom event format.
- Create a log facility.
- Enable access logging.
- Configure Blue Coat SG for either Log File protocol or syslog uploads.
The instructions provided describe how to configure Blue Coat SG by using a custom
name-value pair format. However, QRadar supports the following
formats:
- Custom Format
- SQUID
- NCSA
- main
- IM
- Streaming
- smartreporter
- bcreportermain_v1
- bcreporterssl_v1
- p2p
- SSL
- bcreportercifs_v1
- CIFS
- MAPI
These standard formats can change between Blue Coat SG versions, which might keep them from being parsed correctly. When you configure Blue Coat SG by using a custom name-value pair format, parsing is more reliable.