Creating a custom event format for Blue Coat SG

To collect events from Blue Coat SG, create a custom event format.

Procedure

  1. Log in to the Blue Coat Management Console.
  2. Select Configuration > Access Logging > Formats.
  3. Select New.
  4. Type a format name for the custom format.
  5. Select Custom format string.
  6. Type the following custom format:
    Attention: The line breaks in these examples will cause this configuration to fail. Copy the code blocks into a text editor, remove the line breaks, and paste as a single line in the Custom Format column.
    Bluecoat|src=$(c-ip)|srcport=$(c-port)|dst=$(cs-uri-address)|dstport=$(cs-uri-port)|username=$(cs-username)|devicetime=$(gmttime)|s-action=$(s-action)|sc-status=$(sc-status)|cs-method=$(cs-method)|time-taken=$(time-taken)|sc-bytes=$(sc-bytes)|cs-bytes=$(cs-bytes)|cs-uri-scheme=$(cs-uri-scheme)|cs-host=$(cs-host)|cs-uri-path=$(cs-uri-path)|cs-uri-query=$(cs-uri-query)|cs-uri-extension=$(cs-uri-extension)|cs-auth-group=$(cs-auth-group)|rs(Content-Type)=$(rs(Content-Type))|cs(User-Agent)=$(cs(User-Agent))|cs(Referer)=$(cs(Referer))|sc-filter-result=$(sc-filter-result)|filter-category=$(sc-filter-category)|cs-uri=$(cs-uri)
  7. Select Log Last Header from the list.
  8. Click OK.
  9. Click Apply.
    Note: The custom format for QRadar supports more key-value pairs by using the Blue Coat ELFF format. For more information, see Creating extra custom format key-value pairs.

What to do next

Create a log facility on your Blue Coat device.