Blue Coat SG

The IBM QRadar DSM for Blue Coat SG collects events from Blue Coat SG appliances.

The following table lists the specifications for the Blue Coat SG DSM:
Table 1. Blue Coat SG DSM specifications
Specification Value
Manufacturer Blue Coat
DSM name Blue Coat SG Appliance
RPM file name DSM-BlueCoatProxySG-Qradar_version-build_number.noarch.rpm
Supported versions SG v4.x and later
Protocol Syslog

Log File Protocol

Recorded event types All events
Automatically discovered? No
Includes identity? No
Includes custom properties? Yes
More information Blue Coat website (http://www.bluecoat.com)
To send events from Blue Coat SG to QRadar, complete the following steps:
  1. If automatic updates are not enabled, download and install the most recent version of the Blue Coat SG DSM RPM from the IBM® Support Website (https://www.ibm.com/support/fixcentral) onto your QRadar Console.
  2. Configure your Blue Coat SG device to communicate with QRadar. Complete the following steps:
    1. Create a custom event format.
    2. Create a log facility.
    3. Enable access logging.
    4. Configure Blue Coat SG for either Log File protocol or syslog uploads.
The instructions provided describe how to configure Blue Coat SG by using a custom name-value pair format. However, QRadar supports the following formats:
  • Custom Format
  • SQUID
  • NCSA
  • main
  • IM
  • Streaming
  • smartreporter
  • bcreportermain_v1
  • bcreporterssl_v1
  • p2p
  • SSL
  • bcreportercifs_v1
  • CIFS
  • MAPI

These standard formats can change between Blue Coat SG versions, which might keep them from being parsed correctly. When you configure Blue Coat SG by using a custom name-value pair format, parsing is more reliable.